[Snyk] Fix for 24 vulnerabilities

[takeratta]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:clean-css:20180306	Yes	Proof of Concept
	714/1000 Why? Has a fix available, CVSS 10	Sandbox Bypass npm:constantinople:20180421	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	629/1000 Why? Has a fix available, CVSS 8.3	Improper minification of non-boolean comparisons npm:uglify-js:20150824	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: eslint

The new version differs by 250 commits.

• ff8c4bb 4.5.0
• 480bbee Build: changelog update for 4.5.0
• decdd2c Update: allow arbitrary nodes to be ignored in `indent` (fixes #8594) (#9105)
• 79062f3 Update: fix indentation of multiline `new.target` expressions (#9116)
• d00e24f Upgrade: `chalk` to 2.x release (#9115)
• 6ef734a Docs: add missing word in processor documentation (#9106)
• a4f53ba Fix: Include files with no messages in junit results (#9093) (#9094)
• 1d6a9c0 Chore: enable eslint-plugin/test-case-shorthand-strings (#9067)
• f8add8f Fix: don't autofix with linter.verifyAndFix when `fix: false` is used (#9098)
• 77bcee4 Docs: update instructions for adding TSC members (#9086)
• bd09cd5 Update: avoid requiring NaN spaces of indentation (fixes #9083) (#9085)
• c93a853 Chore: Remove extra space in blogpost template (#9088)
• 0d9da6d 4.4.1
• 1ea9a6c Build: changelog update for 4.4.1
• ec93614 Fix: no-multi-spaces to avoid reporting consecutive tabs (fixes #9079) (#9087)
• a113cd3 4.4.0
• 181bd46 Build: changelog update for 4.4.0
• 89196fd Upgrade: Espree to 3.5.0 (#9074)
• b3e4598 Fix: clarify AST and don't use `node.start`/`node.end` (fixes #8956) (#8984)
• 62911e4 Update: Add ImportDeclaration option to indent rule (#8955)
• de75f9b Chore: enable object-curly-newline & object-property-newline.(fixes #9042) (#9068)
• 5ae8458 Docs: fix typo in object-shorthand.md (#9066)
• c3d5b39 Docs: clarify options descriptions (fixes #8875) (#9060)
• 37158c5 Docs: clarified behavior of globalReturn option (fixes #8953) (#9058)

See the full diff

Package name: gulp

The new version differs by 250 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples ([Bug 905834] Developer Vagrant environment mozilla/kitsune#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md ([bug 726941] Allow users to close their account mozilla/kitsune#1859)
• 723cbc4 Docs: Fix syntax in recipe example ([bug 932539] Replace the get involved banner mozilla/kitsune#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration ([bug 966738] Stop shrinking the font. mozilla/kitsune#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (Update Gravatar tooltip text mozilla/kitsune#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (Another import fix mozilla/kitsune#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API ([bug 916813][bug 916818] Implement KB and L10n automatic badges. mozilla/kitsune#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (Reset schema 911831 mozilla/kitsune#1609)

See the full diff

Package name: gulp-watch

The new version differs by 220 commits.

• 80cd83e 5.0.1
• 6fe8912 Replace deprecated gulp-util ([bug 697445] Fix kbforums async preview. mozilla/kitsune#303)
• 959128a 5.0.0
• 9208d48 Bump chokidar to ^2.0.0
• 02bd06d Update to newest vinyl for gulp 4 support ([bug 696236] Fix flagit. mozilla/kitsune#296)
• 4ced696 Add Node.js 9 and increase timeout to 5 secs
• aa8146f Remove unsupported versions of Node.js
• 608c7aa 4.3.11
• 410dbab Bump dem deps 🐎
• bd4d31e Fix Windows Node v7 support
• 946d39c CI: add Node v7 to Travis and AppVeyor
• 4f4b151 4.3.10
• 2a2e0aa Ignore OS generated files
• 531be3b Issue reporting: add Node.js version, platform and arch
• 990038e Rewrite vinyl.read as Promise in order to update dependencies
• 06793d7 4.3.9
• cd7359b Normalize paths and improve error logging
• 89dc1a5 Add tests for path normalizations
• 38938f6 4.3.8
• 1bd7f7c Tests: move touch.js to test/util
• 9526da4 Fix Windows CI
• 78ab937 Replace glob2base with glob-parent, drop glob dependency
• 0a80ac3 fix tests
• 9ce4692 CI: explicitly test on Node 5 and 6

See the full diff

Package name: jsdom

The new version differs by 250 commits.

• 74a8d1e Version 16.6.0
• f51f2ec Remove the dependency on request
• 2b6d5ae Update dependencies
• b72b33b Disable now-crashing canvas test
• 39b7972 Handle null and undefined thrown as exceptions
• 04f6c13 Add ParentNode.replaceChildren() (Create separate administrative user identities. mozilla/kitsune#3176)
• e4c4004 Version 16.5.3
• 2f41466 Fix MutationObserver infinite loop bugs (Improve performance of question_details view (mysql questions_question select) mozilla/kitsune#3173)
• b232f2a Run partially-failing WPTs in the custom-elements directory
• 35e103e Run partially-failing WPTs in the cors directory
• 77b660a Run partially-failing WPTs in the FileAPI directory
• d8a245f Use `InnerHTML` mixin for `innerHTML` definition (Add Whitenoise  mozilla/kitsune#2981)
• bd50bbe Version 16.5.2
• d5cfd69 Fix event handler ObjectEnvironment instantiation
• 93e3d4a Remove vestigial concurrentNodeIterators option-passing
• c92f9c1 Check all associated elements for form validity
• 2202703 Fix failing WPTs calculation
• 21c7671 Upgrade dependencies
• c1b9ea1 Port skipped "test_body_event_handler_inline" to WPT
• a13d854 Use WeakRefs for NodeIterator tracking when supported
• fdf97d8 Fix radio/checkbox to not fire events when disconnected
• 761d8cc Refactor <output>
• b36d418 Make customElements.whenDefined() resolve with the constructor
• c5d13bb Remove a variety of redundant to-port tests

See the full diff

Package name: mocha

The new version differs by 250 commits.

• e8cda73 Release v3.0.0
• 4944e31 rebuild mocha.js
• 16762d1 fix bad merge of karma.conf.js
• 2f9a409 add note about spec reporter to CHANGELOG.md [ci skip]
• 7c0284b fixed typo in mocha.css introduced by 185c0d902e272216232630fe4e2577268456dd9a [ci skip]
• 8741506 Remove carriage return before each test line in spec reporter. Served no purpose
• 309b8f2 add "logo" field to package.json [ci skip]
• 740a511 fix incorrect executable name with new version of commander
• 0e2e49b add bower.json to published package for npmcdn support [ci skip]
• d367bc7 fix broken/wrong URLs in CHANGELOG.md [ci skip]
• 6184529 Release v3.0.0-2
• 4b4009b rebuild mocha.js
• 15c344c add browser-stdout to dependencies
• e3ab4ec update CHANGELOG [ci skip]
• 0cd9dc9 let child suites run if parent is exclusive; closes [bug 1133788] Make locale field writable. mozilla/kitsune#2378 (Cache virtual environment on Travis mozilla/kitsune#2387)
• f0b184e Upgrade eslint package to 2.13 version ([bug 1128007] Upgrade jingo to master tip. mozilla/kitsune#2389)
• cab1e43 markdown fixes for CHANGELOG.md [ci skip]
• d0d5e50 fix bad reference to to-iso-string in test
• 517020b suppress warning about .eslintignore when running ESLint
• 08a6ccf copy to-iso-string; closes [bug 1133788] Make locale field writable. mozilla/kitsune#2378
• 74940ef added changes to CHANGELOG.md [ci skip]
• bf216d5 tweak wording on "overspecification" exception
• 3a3a699 wip CHANGELOG update
• 5c34451 display executed commands in Makefile for debugging

See the full diff

Package name: nunjucks

The new version differs by 250 commits.

• 4deb594 Bump version to 2.4.0.
• f7ebe0d Update changelog.
• 6ac73e9 Merge pull request [bug 765916] Make note and warning text darker mozilla/kitsune#694 from mariusbuescher/master
• 326d8c0 Add note about include and blocks; update wrapping of templating docs.
• 794f8bc Merge pull request [bug 768457] Add e= back for CTR analysis mozilla/kitsune#688 from pra85/patch-1
• 2247fc4 Rename all test templates to use .j2 extension.
• 245e540 Update changelog.
• 4917f42 Revert "make include statements trigger async conversion inside if/for statements (fixes [bug 710279] Fix test_creator_nums_redis test mozilla/kitsune#372)"
• 9c22139 Merge pull request [bug 765816] Move Army of Awesome common replies to KB. mozilla/kitsune#672 from TrySound/yargs
• 64a097a Update changelog.
• 08cd4f1 Split backported and non-backported portions of [bug 759965] Wiki parser handles redirects mozilla/kitsune#667 in changelog.
• 7bea4ce More acks in changelog.
• 7f49835 Merge pull request Fix search button wrapping on some systems mozilla/kitsune#668 from oyyd/cn-doc
• f892a21 Don't allow included templates to write to the including scope.
• 641eaae Update changelog for opts.dev fix.
• 65be220 Split include tests.
• 2fb7f0d Fix references to env dev opt.
• fd4127c Split some tests for easier debugging; fix indentation of some others.
• b421b82 Merge pull request Remove the survey on /kb landing page. mozilla/kitsune#630 from KSDaemon/master
• f324b7c Merge pull request [bug 759831] Update user message for new question mozilla/kitsune#663 from forresst/translate-in-french-656
• fd7c9a4 Merge pull request [bug 757028] Add daily calculation of contributor metrics. mozilla/kitsune#662 from oyyd/cn-doc
• c374af1 Merge branch 'oyyd-support-in-object'
• ae4c82c Merge pull request Fix MySQL configuration step in the installation docs mozilla/kitsune#656 from daniele-rapagnani/master
• 591d92a Merge pull request [Bug 765724] List elements on the forum should have top margins mozilla/kitsune#658 from oyyd/cn-doc

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn