[Snyk] Fix for 27 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • js-old/package.json
  • js-old/package-lock.json
  • js-old/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	No	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	No	Proof of Concept
	514/1000 Why? Has a fix available, CVSS 6	Prototype Pollution SNYK-JS-FLAT-596927	Yes	No Known Exploit
	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	490/1000 Why? CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	No	No Known Exploit
	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	365/1000 Why? CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	No Known Exploit
	220/1000 Why? CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS ) SNYK-JS-MARKED-584281	Yes	No Known Exploit
	377/1000 Why? Recently disclosed, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-REACTTOOLTIP-72363	No	No Known Exploit
	315/1000 Why? CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170112	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170815	No	No Known Exploit
	454/1000 Why? Has a fix available, CVSS 4.8	Cross-site Scripting (XSS) npm:marked:20170815-1	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Buffer Overflow npm:validator:20160218	No	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:validator:20180218	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: flat

The new version differs by 37 commits.

• e5ffd66 Release 5.0.2
• fdb79d5 Update dependencies, refresh lockfile, format with standard.
• e52185d Test against node 14 in CI.
• 0189cb1 Avoid arrow function syntax.
• f25d3a1 Release 5.0.1
• 54cc7ad use standard formatting
• 779816e drop dependencies
• 2eea6d3 Bump lodash from 4.17.15 to 4.17.19
• a61a554 Bump acorn from 7.1.0 to 7.4.0
• 20ef0ef Fix prototype pollution on unflatten
• e8fb281 Test prototype pollution on unflatten
• 6e95c43 Add node 10 & 12 to travis config.
• 38239cc Release 5.0.0
• beaea9d Add tests around cli. Only show usage if on TTY & no argument, allow eaccess error if file not readable.
• 533ac93 Convert var to const across source.
• fdfd095 Exit 1 on usage if specified a file.
• 369b206 Exit 1 on usage.
• f9f0788 Stop cli processing on error.
• a3909c5 Fix lint issues, use non-deprecated strictEqual/deepStrictEqual in tests.
• 74f83ab Update dependencies.
• 2ac1b4d Fix losing order of keys after unflatten an object
• 3b3cd0a Fix issue in `overwrite` example code
• 2b99901 feat: (flatten, unflatten) Add the transformKey opt.
• 32432dd Release 4.1.0

See the full diff

Package name: isomorphic-fetch

The new version differs by 12 commits.

• fc5e0d0 3.0.0
• 496fa43 Add version that was previously uncomitted to the package.json due to the previous release process
• 9f5a8b6 Add a list of alternatives
• 49280e6 Resolve minor security issue
• 0f5edd0 Explain why Isomorphic Fetch is needed in docs ([Snyk] Security upgrade @parity/ui from 3.0.20 to 3.1.15 #135)
• e32b006 Fix travis ([Snyk] Fix for 6 vulnerabilities #190)
• db0aa8c Update to latest version
• 8bf02c4 Bump node-fetch from 1.7.3 to 2.6.1 ([Snyk] Fix for 6 vulnerabilities #189)
• 89c7e70 Merge pull request [Snyk] Fix for 4 vulnerable dependencies #93 from paulmelnikow/fetch_ponyfill
• 25e3cab Add link to fetch-ponyfill
• 8d33aba Merge pull request [Snyk] Fix for 4 vulnerable dependencies #90 from josiah0/update-lintspaces-cli
• c22fcda Update lintspaces-cli

See the full diff

Package name: keythereum

The new version differs by 44 commits.

• 6b30068 Incremented version
• 4a9e16b Merge branch 'fix-recover'
• a937a2b Minor recover tweak
• fc325ef Merge branch 'master' into fix-recover
• 7f652c6 Updated distributable
• e18418c Merge branch 'remove-validator'
• 7cd44d7 Export and unit test isHex and isBase64
• a2cfd43 Added validator as devDependency for test/checkKeyObj
• 42537d8 isBase64 now returns boolean
• 043e7e8 isHexadecimal now returns boolean
• 495d0dd `.recover` should not affect `.constants`
• c67c936 Remove validator package
• 2bdf6c4 Export and unit test str2buf and hex2utf16le; use Buffer.from instead of new Buffer
• 1483a7d Merge branch 'simplify-create'
• 8c57e13 Tweaked comments, randomBytes callback
• e2749bd Merge branch 'master' into simplify-create
• 8ab5590 Merge branch 'improvement/isCipherAvailable'
• 0b38e71 Linting
• ee4238a Merge branch 'master' into improvement/isCipherAvailable
• 6557352 Left-pad private keys to 32 bytes; added more privateKeyToAddress test cases
• 6629160 Merge branch 'remove-ethereumjs-util'
• 7a279ca Linting; fixed secp256k1 version number
• 2f5a2c1 Simplify `create`
• ecf0449 Remove ethereumjs-util

See the full diff

Package name: marked

The new version differs by 250 commits.

• 1ad8e69 Merge pull request bump json-ipc-server version openethereum/parity-ethereum#1731 from UziTech/release-1.1.1
• 7e17526 1.1.1
• 7fbee6e Merge pull request Make sure parking_lot::Condvar is signaled under a mutex openethereum/parity-ethereum#1730 from UziTech/update-deps
• 6f7522f Merge pull request Parity doesn't close IPC sockets openethereum/parity-ethereum#1729 from UziTech/quick-ref
• f8024eb remove ending slash
• 524ae66 remove ending slash
• 0d6e056 build
• 04ac593 update dev deps
• f36f676 🗜️ build [skip ci]
• dddf9ae Merge pull request RPC trace_transaction crashes parity with: thread '<unknown>' has overflowed its stack openethereum/parity-ethereum#1686 from calculuschild/EmphasisFixes
• 6b729ed Merge branch 'EmphasisFixes' of https://github.com/calculuschild/marked into EmphasisFixes
• e27e6f9 Sorted strong and em into sub-objects
• a761316 Merge pull request Sync stalls on windows openethereum/parity-ethereum#1726 from UziTech/show-rules
• f8193ed add npm run rules
• ad720c1 Make emEnd const
• 1fb141d Make strEnd const
• 226bbe7 Lint
• cc778ad Removed redundancy in "startEM" check
• 211b9f9 Removed Lookbehinds
• 982b57e Merge pull request Exclude generated code from coverage openethereum/parity-ethereum#1720 from vassudanagunta/docs-patch-1
• 2a847e6 clarify level of support for Markdown flavors
• bd4f8c4 Fix unrestricted "any character" for REDOS
• 4e7902e Gaaaah lint
• 4db32dc Links are masked only once per inline string

See the full diff

Package name: napa

The new version differs by 12 commits.

• 09bd26e v3.0.0
• 089c10e Update copyright 2017
• b998270 Merge pull request [Snyk] Fix for 3 vulnerable dependencies #79 from chitoku-k/fix/dep
• 6e38787 Drop support for Node.js < 4
• 707ec6c Downgrade devDependencies
• a76b475 Update dependencies
• bc0eddb Merge pull request [Snyk] Fix for 3 vulnerable dependencies #77 from Grawl/patch-2
• 741e296 Update README.md
• 6be8fb2 Merge pull request [Snyk] Fix for 3 vulnerable dependencies #75 from Grawl/patch-1
• 78b75af Update README.md
• 9e07ff2 Update README.md
• 899da15 Update README.md

See the full diff

Package name: qs

The new version differs by 18 commits.

• 9ee5612 v6.3.2
• 0a63fc8 [Tests] up to `node` `v7.7`, `v6.10`,` v4.8`; disable osx builds since they block linux builds.
• 8e1f3e7 [Fix] support keys starting with brackets.
• febe81a [Fix] chmod a-x
• e54c5ec [Dev Deps] update `eslint`
• 8e2af08 [Fix] follow `allowPrototypes` option during merge
• 153ce84 v6.3.1
• d73b7a6 [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `browserify`
• beade02 [Fix] ensure that `allowPrototypes: false` does not ever shadow Object.prototype properties.
• 8bd4c6c Document allowDots option for stringify
• 0adcf3e [Docs] add empty object and array values example.
• 5f27353 [Tests] on all node minors; improve test matrix
• 657f8df [Docs] Fix minor inconsistency/typo
• 839b1f2 [Docs] Show example of sort option
• ec3bc8e Remove contributing.md, since `qs` is no longer part of `hapi`. ([Snyk] Fix for 6 vulnerabilities #183)
• b041eb9 [Refactor] `stringify`: throw faster with an invalid encoder
• 2ca339e [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `browserify`, `iconv-lite`, `qs-iconv`, `tape`
• eb9fbe4 remove unnecessary escapes (according to npm test results)

See the full diff

Package name: react-tooltip

The new version differs by 136 commits.

• cb16d97 Merge pull request Make clippy an optional dependency openethereum/parity-ethereum#422 from wichniowski/fix/sanitizeHtmlPreventXSS
• 182df11 fix(tooltip): sanitize HTML to prevent XSS
• ce365fe Merge branch 'plondon-fix/nonce-support'
• cf105a1 feat: The only way to support styling react-tooltips with a strict csp is to inject the style.css di
• 9617aa7 Merge pull request Network/Sync fixes and optimizations openethereum/parity-ethereum#416 from RobertGary1/rmg-mouseover
• 19a8a67 feat: Small bug fix to previous commit
• 79342ce feat(tooltip): Add ability to hover on tooltip. Provide optional delay of updating so if the mouse p
• f6f8401 Merge pull request Use latest era instead of end era as journal marker openethereum/parity-ethereum#414 from AlexanderEllis/master
• 57dc55a Fixed jsdoc return typos
• 86f3cf8 Merge pull request Using modified version of ctrlc that catches SIGTERM openethereum/parity-ethereum#399 from jstettner/master
• 02b6fef fixes typos
• f02ff35 Update dev dependencies for avoiding warning
• 4fb4b40 Merge pull request jsonrpc openethereum/parity-ethereum#391 from hassanbot/tooltip-orientation
• 6f01ed8 Change orientation priority
• 424e43b Fix formatting
• f33d5b3 Make sure tooltip is oriented correctly when close to edge
• c44cc2d Merge pull request Release 1.0 openethereum/parity-ethereum#389 from wwayne/current_target_fix
• 28b8493 fix(isCapture): better guard that preserves logic
• 99bf5ec Merge branch 'master' into current_target_fix
• 4f89a2d fix(isCapture): guard use of currentTarget
• 871b77c Merge pull request Editorconfig file. openethereum/parity-ethereum#384 from P0lip/master
• 6d7b3fa Add info about workaround
• f14c6ca Code review fixes
• 68fd5b5 Detach custom event listener

See the full diff

Package name: recharts

The new version differs by 39 commits.

• 49c3e7e Version 0.16.0
• 67dd4c6 test: fix test case
• 2bc2dc6 docs: update packages
• dd0f213 test: update some test case and fix test error
• 515279c feat: support both x-axis and y-axis are numerical axis, fix [Snyk] Fix for 6 vulnerabilities #183
• dcff8ce fix: fix angle in PolarRadiusAxis
• ff63d75 fix: fix the axis when change new data
• 208e39c fix: fix server render bug of Text, fix ethcore docs openethereum/parity-ethereum#301
• 69e56b3 fix: 1. fix angle of PolorRadiusAxis 2. fix BrushDemo 3.fix lint error
• 223a20d lint: fix some lint errors
• cc5b435 Merge pull request update ethcore.github.io documentation automatically openethereum/parity-ethereum#311 from konstantin24121/issue310
• 7a19c5a Merge pull request [Snyk] Security upgrade web3 from 1.0.0-beta.26 to 1.2.0 #277 from billneff79/axis-performance
• ee72d56 add animation events
• 84400a0 Version 0.15.3
• 25d9e76 fixed bugs in @developit pull request for performance in ReactUtils
• 43e6691 Fix painfully slow sanitization methods
• 5cf6283 autofix some lint errors
• 2193758 merge in origin/master and fix merge conflicts
• 2c823d8 Add angle property to PRESENTATION_ATTRIBUTES (Immutable Transaction data structure openethereum/parity-ethereum#307)
• 8600611 chore: update istanbul plugin
• fa41282 Merge pull request Fixed block queue test openethereum/parity-ethereum#294 from recharts/fix/update_deps
• 716be6c chore: add yarn.lock and update deps
• 8589639 Added more tests to LineChart and AreaChart to ensure pure rendering
• dfe08f8 Added tests to future proof against PureRendering getting messed up on LineCharts, which should help catch issues with several others as well

See the full diff

Package name: validator

The new version differs by 250 commits.

• 748d499 9.4.1
• 1950835 Patch a REDOS
• 77ed1ed Update the changelog and min version
• 5c4c971 Merge pull request Auto detect available port (with fixed test) openethereum/parity-ethereum#788 from malachiwa/patch-1
• 6a91b75 Update Israel's prefixes of mobile phone numbers
• c93cf2c Merge pull request Listen on all interfaces for JSONRPC by default. openethereum/parity-ethereum#786 from amilajack/patch-1
• eeba049 Run against node 8
• 4e455d2 9.4.0
• 4fb34e9 Re-add the change to the en-IN phone regex
• f2b9806 Updates from the previous merge
• ca20e91 Merge pull request Allow 0x prefix for --author. openethereum/parity-ethereum#785 from geekguy/master
• f51344f Indian mobile numbers can start with 6 now.
• 0ccb1c7 Update the changelog and min version
• e7b8557 Merge pull request Transaction trace querying openethereum/parity-ethereum#769 from ProfNandaa/feat-741-is-phone-number-cc
• 5615a12 isMobilePhone: add option for strictMode
• ca0f25f 9.3.0
• e9a4009 Remove the leftover compiled isDate
• bf46b58 Update the changelog and min version
• 06d6b16 Merge pull request Geth-compatible IPC module openethereum/parity-ethereum#774 from vetoshko/new-phones
• 3920f9d Merge branch 'master' into new-phones
• f5fcb6d Merge pull request added output to execution result openethereum/parity-ethereum#777 from athivvat/support-thailand-locale
• cbea0c7 Merge branch 'master' into support-thailand-locale
• ab898d5 Merge pull request Make Externalities::ret consume self openethereum/parity-ethereum#779 from aniham/master
• cfca110 Merge branch 'master' into master

See the full diff

Package name: worker-loader

The new version differs by 20 commits.

• 77c599c chore(release): 1.1.1
• d1a7a94 fix(index): add `webpack >= v4.0.0` support ([Snyk] Fix for 1 vulnerabilities #128)
• 8905f8d docs(README): fix syntax highlighting on `webpack.js.org` ([Snyk] Fix for 4 vulnerabilities #112)
• 20af2e9 chore(release): 1.1.0
• 0994334 refactor(index): remove legacy code (`webpack =< v1.0.0`) ([Snyk] Fix for 4 vulnerabilities #105)
• 09705fb refactor: apply `webpack-defaults` ([Snyk] Fix for 3 vulnerable dependencies #81)
• 2051a3a docs(README): fix layout, add links && anchors ([Snyk] Fix for 1 vulnerabilities #100)
• 96c6144 feat: add `publicPath` support (`options.publicPath`) ([Snyk] Fix for 1 vulnerable dependencies #31)
• a9ec386 docs(README): standardize ([Snyk] Fix for 3 vulnerable dependencies #82)
• d914288 docs(README): improve TypeScript integration example ([Snyk] Fix for 18 vulnerable dependencies #97)
• 2aa3e81 chore(release): 1.0.0
• 1b84066 chore: Adds release tooling & script
• f7e2132 chore: Allow Webpack v3.x as a peerDependency ([Snyk] Fix for 3 vulnerable dependencies #85)
• 57c2846 0.8.1
• 1d8180a test: Improve named workers via options ([Snyk] Fix for 2 vulnerable dependencies #80)
• 5e2f5e6 feat: add `options` validation (`schema-utils`) ([Snyk] Fix for 3 vulnerable dependencies #78)
• edcda35 feat: support loading node core modules ([Snyk] Fix for 3 vulnerable dependencies #76)
• 13f586b docs: Added Typescript integration to the readme ([Snyk] Fix for 3 vulnerable dependencies #79)
• 5c3003e docs: Add worker message example to README ([Snyk] Fix for 2 vulnerable dependencies #66)
• 6eb39f0 docs(README): explain what the loader does ([Snyk] Fix for 2 vulnerable dependencies #65)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	365/1000 Why? CVSS 7.3	Prototype Pollution npm:extend:20180424	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic