[Snyk-dev] Fix for 14 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • test/fixtures/qs-package/node_modules/snyk/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-NCONF-2395478	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection SNYK-JS-OPEN-174041	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-UNDEFSAFE-548940	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	Arbitrary Command Injection npm:open:20180512	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: chalk

The new version differs by 53 commits.

• 3fca615 2.0.0
• f66271e Add tagged template literal (Add python cli docker images #163)
• 23ef1c7 fix linter errors
• c015568 add rainbow example
• 09fb2d8 Re-implement `chalk.enabled` (Testing travis #160)
• 608242a spoof supports-color
• 18f2e7c add host information output
• 523b998 Revert "TEMPORARY: emergency travis CI fix (see comments)"
• 54975fb TEMPORARY: emergency travis CI fix (see comments)
• 1d73b21 Improve readme
• 6f4d6b3 Bump dependencies
• 8702496 Remove `chalk.styles`
• 0412cdf Minor code improvements
• 249b9ac ES2015ify the codebase
• cb3f230 Add RGB (256/Truecolor) support (#140)
• dbae68d Update dependent package count in the readme (#154)
• 9b60021 Drop support for Node.js 0.10 and 0.12
• 0d21449 check parent builder object for enabled status (#142)
• 5a69476 add XO badge
• 492f11f add example file
• 4ce73b6 make XO happy
• 7c02cf4 Add log statement to chalk examples (#129)
• 835ca3d You've just reached 10,000 dependent modules. (fix: add proxy support when fetching patches #122)
• 74c087d minor doc improvements (#120)

See the full diff

Package name: inquirer

The new version differs by 92 commits.

• 68fcbcb 3.2.0
• e16575c Bump dependencies
• 3f2c74b fix(package): update chalk to version 2.0.0
• 2e9eb3e Allow non-string values as a list default option (feat: preparation for go modules support #558)
• 5dbd186 [fix] feat: sha256 checksums for binary releases #293 Exit script when SIGINT signal received (#564)
• 625965e Fixed typo (feat: revert gradle plugin to undo breaking change #563)
• babdfb2 Add Plugins Section to README.md (fix: Improve dockerfile instruction parser #559)
• 810c138 fix(package): update strip-ansi to version 4.0.0
• 13d3100 3.1.1
• 60b27f0 Setup coverage in codacy
• 62fde13 Bump dev dependencies
• 3f465b4 Move eslint configs to own file (easier to integrate in third party)
• 948f8dc Keep password prompt silenced after error - Fix feat: select Gradle confugiration via name/attributes #553 #546
• 11f5854 chore(package): update sinon to version 2.3.4 (fix: protect failing due to missing auth #550)
• e612cc5 3.1.0
• 148cb71 Update eslint-config-xo-space to the latest version 🚀 (chore: Update broken snyk link #516)
• 3b93dd5 call chalk.reset() after message prompt (Chore: delete expired docker promo #544)
• 3ff39a6 chore(package): update chai to version 4.0.1 (fix: remove incorrect Gradle logging #541)
• 76f1bfe upgrade external-editor to 2.0.4 (chore: convert config to ts #535)
• da4eceb pass current answers hash to filter (chore: drop console.logs #533)
• f99b398 Use rx-lite-aggregates instead of full rx (fix: bump python plugin to fix bug with urls in req.txt #532)
• 20119a2 fix(package): update ansi-escapes to version 2.0.0 (refactor: Keep track of supported wizard package managers instead #527)
• e294e16 Update validate fn param docs (Refactor/module info #526)
• 5b3a4a2 Add masked password example

See the full diff

Package name: snyk-config

The new version differs by 64 commits.

• 34bd34e Merge pull request #43 from snyk/fix/bundle-nconf
• b9cc6b6 feat: swap yargs parser with minimist
• 2b3935c feat: re-enable argv parsing with yargs
• 3b8a4e1 feat: add the original argv module
• 392e6f2 fix: use vendored nconf
• b90e7e7 fix: vendor nconf to remove vulnerable yargs version
• f2c0e1e chore: add the original nconf library
• eb0f55f Merge pull request #42 from snyk/test/add-more-test-cases
• bf4231e test: add more tests for argument parsing
• c10881d test: add test case for value type changing
• f167704 Merge pull request chore: 'npm run build' in appveyor #40 from snyk/fix/less-lodash
• d671a6e fix: Reduce lodash, use lodash.merge directly
• 136b3a9 Merge pull request #39 from snyk/feat/use-patched-lodash
• a2d2453 feat: use forked lodash patched against zipObjectDeep vulnerability
• b4b4912 Merge pull request #38 from snyk/fix/major-release
• 5c3aaef fix: trigger a major release
• af60412 Merge pull request #37 from snyk/feat/service-env
• d177015 docs: package name is wrong
• 1037183 BREAKING CHANGE: load SERVICE_ENV instead of local by default
• 5e90504 chore: disable lots of eslint warnings
• 9cac115 feat: eslint --fix
• e670f86 BREAKING CHANGE: drop node 6 support
• 39eba76 chore: remove unused npm run semantic-release, travis runs it
• 6e60b3b feat: basic types

See the full diff

Package name: undefsafe

The new version differs by 23 commits.

• f272681 fix: prevent changes in prototype chain
• f495954 chore: prettier changes
• e4180ba fix: add .npmignore (#11)
• 29c8d32 Merge branch 'master' of github.com:remy/undefsafe
• 9a1631a fix: handle null as the root object
• 2d38e72 feat: * rule returns all matches (#7)
• 9c7867e fix: when first prop is a string lookup
• f6a7369 feat: support string properties
• 4096e74 docs: update use with star rules
• a8ec59c chore: Merge branch 'master'
• 9fff017 feat: support `*` in paths
• c1ff86d Merge pull request #3 from kasicka/master
• 454e910 Add license
• aab63c2 feat: support setting values
• 0dca1f4 chore: ignore dev output
• 45ac637 chore: add linting files
• fff7997 refactor: move to tap over mocha
• 3d82f24 chore: merge branch 'master'
• 951081b chore: release 1.0.0
• 2d70b33 fix: add tonic demo
• 60181c2 Merge pull request #2 from cbas/patch-1
• acce87b SPDX expression
• 98aa896 Better example in readme

See the full diff

Package name: update-notifier

The new version differs by 102 commits.

• 311557e 6.0.0
• 9183541 Require Node.js 14 and move to ESM
• 3fdb218 5.1.0
• 73c391b Upgrade dependencies
• 0a6027e Move to GitHub Actions
• d8fa601 Rename `master` branch to `main`
• f63b2eb 5.0.1
• 9e2b772 Update dependencies
• da7c464 5.0.0
• 5b440c2 Require Node.js 10
• 3dfe42d Don't suggest to upgrade to lower version (chore: automate pkg assets publishing #192)
• 132b7ce Remove a project from "Users" section (#191)
• c9d2166 4.1.1
• f42fc8f Improve vertical alignment of the notifier output (chore: eslint instead of jscs #183)
• 71a3f19 Use HTTPS links
• 64c5236 Fix Travis
• 9d9f4ff 4.1.0
• 4062f12 Update dependencies
• adbeb6e Add template support for the `message` option (#175)
• adf7803 4.0.0
• fb5161c Remove the `callback` option (#158)
• 39682de Rename `boxenOpts` option to `boxenOptions`
• bc1721a Avoid showing notification if current version is the latest (wizard: fix prompts.forEach is not a function #174)
• ccaf686 Update dependencies

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn

[github-actions]

	Warnings
⚠️	"fix: test/fixtures/qs-package/node_modules/snyk/package.json to reduce vulnerabilities" is too long. Keep the first line of your commit message under 72 characters.

Generated by 🚫 dangerJS against 21129f0