[Snyk] Fix for 38 vulnerabilities

[rfxn]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ACORN-559469	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COOKIEJAR-3149984	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Arbitrary File Overwrite SNYK-JS-FSTREAM-174725	Yes	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISMYJSONVALID-597165	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Arbitrary Code Execution SNYK-JS-ISMYJSONVALID-597167	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JSONPOINTER-1577288	Yes	Proof of Concept
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-JSONPOINTER-598804	Yes	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary File Overwrite SNYK-JS-TAR-174125	Yes	Proof of Concept
	711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Uninitialized Memory Exposure npm:atob:20180429	Yes	Mature
	434/1000 Why? Has a fix available, CVSS 4.4	Time of Check Time of Use (TOCTOU) npm:chownr:20180731	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:cryptiles:20180710	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution npm:deep-extend:20180409	No	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Yes	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: bitfinex-api-node

The new version differs by 250 commits.

• cbb2502 updated docs
• 45e8a0d Merge pull request Added send/buy orders notifications using Slack's Incoming WebHooks API. DeviaVir/zenbot#583 from ZIMkaRU/bugfix/fix-ws-transport-to-support-new-rest-api-signature
• df7889b Update CHANGELOG
• d38c4fc Update CHANGELOG
• bf1df8f Update CHANGELOG
• d951c24 Update package.json
• f072f0e Bump bfx-api-node-rest version up to 5.1.1
• 54300fc Bump bfx-api-node-models version up to 1.7.1
• e337030 Change min node version to 16.20
• 2164cba Update docs
• 050c326 Add changes to changelog
• 21d0961 Bump version up to 6.0.1
• b6a407b Fix ws transports methods params
• 08a085a Merge pull request Bittrex API 2.0 DeviaVir/zenbot#582 from ZIMkaRU/feature/resolve-deps-issue
• cb37175 Add changes to changelog
• 59d7587 Move dev deps into corresponding section
• 5a39752 Update docs
• f2d93f6 Bump version up to 6.0.0
• ac5f726 Bump dep versions to fix vulnerabilities
• f41b7ef Bump bfx-api-node-rest version up to 5.1.0
• 5344bd2 Remove bluebird Promise
• eceaf2a Remove unused deps
• be6596c Merge pull request Genetic back tester fails to fetch test results because of ansi codes DeviaVir/zenbot#578 from vitaliystoliarovcc/fix/emit-public-funding-trades
• 92a7b77 5.0.4

See the full diff

Package name: css-loader

The new version differs by 9 commits.

• 43179a8 chore(release): 1.0.0
• 3d53968 Merge remote-tracking branch 'origin/master'
• 240db53 version 1.0 (Trading mode DeviaVir/zenbot#742)
• 1b7acf7 Merge remote-tracking branch 'origin/master'
• 1703721 docs(README): add more context to `localIdentName` (Bittrex and Insufficient Funds (#708) DeviaVir/zenbot#711)
• 1c51265 docs(README): fix malformed emoji (BTCE is no more DeviaVir/zenbot#701)
• 50f8ec0 Merge remote-tracking branch 'origin/master'
• 07444ad tests: css custom variables (Three strategies have been coded to the best of my ability. + Lightning Fast Threading DeviaVir/zenbot#709)
• 3de8aa7 tests: css custom variables (Three strategies have been coded to the best of my ability. + Lightning Fast Threading DeviaVir/zenbot#709)

See the full diff

Package name: lint-staged

The new version differs by 101 commits.

• e24aaf2 fix: parse titles for function linters
• e862e7e docs: correct config file name
• 309ff1c docs: restore filtering section to README
• 4bef26e feat: add deprecation error for advanced configuration
• e829646 refactor: remove dependency on path-is-inside
• 767edbd refactor: remove dependency on lodash
• c59cd9a chore: upgrade dependencies
• 19536e3 refactor: pass unparsed commands to execa with --shell
• 275d996 refactor: rename --silent to --quiet
• 18acd59 docs: update README
• 2ba6d61 test: ignore testSetup from coverage report
• ecf9227 feat: add --shell and --quiet flags
• 04190c8 refactor: remove advanced configuration options
• bed9127 refactor: use execa's shell option to run commands
• d3f6475 docs: update contributors
• b71b9c8 refactor: warn about long arguments string only once
• bcd52ac docs: update README
• efe8f06 docs: print a warning when arguments length is too long based on platform
• 2753640 docs: update README
• 28f3c40 refactor: remove unused configuration options
• 4db2353 test: add test for linter command exiting with code 1
• 6d4beec test: update tests for function linters
• 36e54a2 feat: support function linter returning array of commands
• 9e4346f refactor: support function linters in getConfig

See the full diff

Package name: node-sass

The new version differs by 197 commits.

• 3b556c1 7.0.2
• c716359 Bump sass-graph@^4.0.1 (#3292)
• 24741b3 docs(readme): fix docpad plugin link
• 1523330 feat: Drop Node 12
• 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
• 1456114 build(deps): bump actions/upload-artifact from 2 to 3
• b465b69 chore: bump GitHub Actions to Windows 2019 (#3254)
• e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
• 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
• 29e2344 build(deps): bump actions/checkout from 2 to 3
• 85b0d22 build(deps): bump actions/setup-node from 2 to 3
• 3bb51da Use make-fetch-happen instead of request (#3193)
• adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (#3000)
• 77d12f0 chore: disable Apline for Node 16/17 builds
• 308d533 ci: use Python 3 for Node 12
• c818907 ci: unpin actions/setup-node to v2
• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (#3149)
• e80d4af chore: Drop EOL Node 15 (#3122)
• d753397 feat: Add Node 17 support (#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: node-telegram-bot-api

The new version differs by 105 commits.

• 5385d41 feat: update to v0.64.0 version
• 12d4d25 deps: Change request to @ cypress/request (Extra line in dashboard api DeviaVir/zenbot#1145)
• f17e801 docs: revokeChatInviteLink
• 595cdbd feat: Telegram Bot API 6.8 support (Fix node-telegram-bot-api deprecated warning DeviaVir/zenbot#1113)
• dfe24a4 docs: update api.md for setWebHook (fix FEATURE - Use TAKER after fails of xx MAKER attempts DeviaVir/zenbot#1083) (Nonce must be greater than x you provided y DeviaVir/zenbot#1084)
• 542002e feat: Telegram Bot API Support 6.6 + 6.7 [WIP] (v4.1.0: release to master DeviaVir/zenbot#1069)
• 2885db0 Merge pull request Fix invalid HTML in simulation template DeviaVir/zenbot#1094 from kaiserdj/patch-1
• ad2b8c2 docs: Update group link
• 4ec6a68 docs: Update group link
• ab0eb18 fix: Handle rejected when open a webhook in a port that was already in use
• c4164a2 docs: Update README
• 6077f9b docs: update api.md for createNewStickerSet (Fix bug where fitness function assigned higher fitness to worse results. DeviaVir/zenbot#1043)
• 41f493b docs: update README.md (darwin.js - crossover/trendline strategy input & general .csv/.json output issues. DeviaVir/zenbot#1044)
• 53b5565 fix: remove try catch in _fixAddFileThumb
• 58261d1 feat: Telegram Bot API 6.4 Support (Be able to 'switch' asset and currency DeviaVir/zenbot#1040)
• 4ef4fe9 Update incorrect link in tutorials.md (Binance changed API 24 hours to 1 hour DeviaVir/zenbot#1027)
• ab59286 feat: Telegram Bot API v6.3 (Enhancement - Scheduled MongoDB prune DeviaVir/zenbot#1020)
• 0eb8b80 fix: Parse entities when sending request (REST API UI v1.1 DeviaVir/zenbot#1013)
• ccdd146 docs: Fix readme with correct link to api docs
• d853704 fix: Changelog
• 22d99fd docs: update @ types install note (Could simulation be done on a GPU ? DeviaVir/zenbot#999)
• fe4afd6 feat: Support Bot API v6.2 (Changed references in the Strategy objects of the backtesters to 'per… DeviaVir/zenbot#996)
• c9b05e7 feat: Support test enviroment (Error: invalid bucket size spec: undefined DeviaVir/zenbot#994)
• f50cf98 Hotfix: tests + modify order src/telegram + docs (Updated trendline "AP markup mode", profitable neural. Examples.... DeviaVir/zenbot#988)

See the full diff

Package name: pushbullet

The new version differs by 26 commits.

• 1f8c1fd Update to version 3.0.0
• 9186bd9 Add `createChannel()`
• ac2fe7e Deprecate `sendSMS()`
• 9b7bcda Add support for the text API
• 5f501c5 Fix some comments
• 426de2b Remove old Travis CI yaml file
• 6a0076c Update ESLint rules and apply fixes
• ebdc39e Merge branch 'github-action-tests'
• ffd626d Add GitHub action to run tests
• f68187d Add tests using nock for mocking the API
• 45a657f Remove tests for now
• 72e856e Codestyle, modernisation, misc fixes
• a899190 Update dependencies to latest versions
• dca0e34 Merge branch 'node-fetch-migration'
• 3f89158 Update changelog
• 6508617 Update README
• 6a83ef9 Replace request with node-fetch
• 0f18e80 Switch CJS requires to ESM imports
• 8b5eaef Update to version 2.4.0
• c1581bb Update dependency requirements
• eadb250 Reconnect to websocket stream if disconnected
• 3ea3f0c Update version to 2.3.0
• e662e3c Add fullResponses option to return response object
• 7b78838 Switch to ws module for stream handling

See the full diff

Package name: tulind

The new version differs by 31 commits.

• a0482fa update appveyor env variable name [publish binary]
• b063981 Version bump [publish binary]
• c456802 chore(deps): upgrade to @ mapbox/node-pre-gyp ([Snyk] Security upgrade strip-ansi from 4.0.0 to 7.0.0 #70)
• 1d86b1f moved publish to end of travis script. version bump. [publish binary]
• 5d0ae22 again [publish binary]
• c624b4a publish fix. version bump. [publish binary]
• 3a31cf0 version bump [publish binary]
• b279567 update to work with node 12
• d4dfc6d keep callback on stack
• 3fe97c5 use nan::to and nan:asyncresource
• 6988126 update copyright year
• b02ebd4 cleanup
• 594b35d option to publish from travis
• e278aa6 added encrypted AWS keys to travis
• 6a4bd45 added -Wno-cast-function-type flag
• c1890d1 remove node-pre-gyp from bundleddeps
• ec8bed3 update node version and packages
• 25f7080 added downloads/week badge
• 9d0b4d6 version bump [publish binary]
• c799055 fix crash when index.js is run more than once
• 168bcef Version 0.8.14 [publish binary]
• a2cf861 Update node-pre-gyp version to 0.12.0, added node 10, 11 to CI.
• af13d4d Update CI tools to test with NodeJs v10 and v11
• 6adda1e Update node-pre-gyp version to 0.12.0

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request #11603 from MayaWolf/master
• 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request #11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request #11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request #11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Package name: webpack-cli

The new version differs by 37 commits.

• b1e7ef3 break: update pkg.json
• 4857b9d break: webpack-cli v.3.0.0
• 660ce95 v0.0.8
• 9d3c9c1 v0.0.7
• 138adfd BREAKING: webpack-cli v3 ([SOLVED] GDAX API unable to call getBalance, http_status 'invalid signature' DeviaVir/zenbot#448)
• 03c1969 chore(deps): Update nyc to the latest version 🚀 (Please add itBit Exchange DeviaVir/zenbot#476)
• 3a8fcce chore(deps): Update conventional-changelog-cli to the latest version 🚀 (Bitfinex WS Fixes: Reconnect and crash on previously non-traded assets/currency DeviaVir/zenbot#474)
• 3442865 tests(binTestCases): refactor to make tests pass (x is undefined - crash in numbro.js DeviaVir/zenbot#472)
• c2398a2 fix(entry): fix a bug when `--display-entrypoints=false` does not hide entries (Fix bug with preroll when 0 volume DeviaVir/zenbot#464)
• 9977406 chore(package): update jest-cli to version 23.0.1 (Introduce a non-interactive mode DeviaVir/zenbot#467)
• 3953648 fix(dependencies): fix vulnerabilities (Bitfinex WebSockets API + Fix postonly not triggering re-buy DeviaVir/zenbot#458)
• 7c01f39 chore(travis): move npm ci to install task (Fix docker builds for forex.analytics DeviaVir/zenbot#424)
• aefa520 chore(travis): add Node.js 10 (npm install error DeviaVir/zenbot#425)
• 8283ba9 chore(docs): update readme
• 9760a4d Update dependencies to enable Greenkeeper 🌴 (RSI values on Zenbot 4 differs insanely from those on Zenbot 3.5 DeviaVir/zenbot#443)
• 4cca655 chore(travis): run lockfile cmds on tests (Bittrex has inverted values DeviaVir/zenbot#444)
• d0fb42c cli(init): revise installation steps (DynamoDB support DeviaVir/zenbot#441)
• 51851e8 fix(pkg): test auto setup
• bb181a1 chore(travis): Add encrypted private ssh key
• 2091d1c chore(package.lock): update pkg.lock
• d060239 chore(release): v.2.1.3
• 4149c53 chore(pkg): remove prefer global
• 84d6997 chore(templates): Update issue templates (Cannot find module './build/Release/analytics.node' DeviaVir/zenbot#432)
• 2273536 cli(cmds): revise yargs command (Trading issue on live for kraken DeviaVir/zenbot#422)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Arbitrary Code Execution
🦉 More lessons are available in Snyk Learn