[Snyk] Fix for 7 vulnerabilities #153

snyk-bot · 2023-03-12T01:36:12Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gulp

The new version differs by 216 commits.

84df40b 3.8.11
c46bf1a update liftoff and v8flags to deal with new node versions and iojs
0b7967f Fixed minor JS syntax error in docs
98b1cb6 Update .travis.yml
e8c6bf6 Add node.js 0.12 and io.js to travis.yml
54684fe Adding gulp-util to the npm install line
e9f8991 Update gulp core team GitHub link
af17d96 Update gulp-ruby-sass syntax (1.0.0)
0cc972c add gitter badge and rearrange badge line
3cb110b Removed syntax highlighting from file structure
17d77cb update MIT License to year range
51e5a24 Merge pull request #834 from danielbayerlein/gulp-watch-v3
f66bbb4 Merge pull request #836 from yousefcisco/patch-1
7f25230 Update dealing-with-streams.md
c9563c7 gulp-watch v3.0.0 API
994f872 Merge pull request #820 from pertrai1/patch-1
d530c08 article on optimizing web code
e463249 sourcemaps with watchify
6a3b85f clean up watchify recipe
20774cc Merge pull request #596 from stevelacy/patch-1
03df8c9 Merge pull request #818 from CaryLandholt/master
742dce6 pluralized Book(s) section
305500f Add "Developing a gulp Edge" book reference
ae98edf Merge pull request #809 from svetlyak40wt/patch-1

See the full diff

Package name: gulp-jshint

The new version differs by 20 commits.

c277434 2.0.3
711f3f0 test fix
0045278 dep updates
bee3a83 [readme] spruce things up a bit
2cb429b 2.0.2
f1f3fc2 Merge pull request [Snyk] Fix for 1 vulnerabilities #150 from VictorVation/master
4f1f1cb update minimatch
6c9cadd Merge pull request [Snyk] Fix for 2 vulnerabilities #140 from rtack/patch-1
6532823 fix typo
4a7f304 2.0.1
5c1d63f move to explicitly imported lodash functions
81c7498 Merge pull request [Snyk] Security upgrade karma from 0.12.37 to 5.0.8 #139 from rkurbatov/upgrade-lodash
631e7ed Update .gitignore
368f267 Upgrade lodash version, fix 'repository' field to correct form
0d91672 Create CHANGELOG.md
d7cc9ea version 2.0.0
02c4053 added note about jshint peerDependency
226ea3b Merge pull request resize event support #120 from spalger/jshintAsPeer
a1c0be4 [npm] install jshint on travis, for old npm and future npm
3e7ad84 [npm] move jshint to peerDependencies

See the full diff

Package name: gulp-uglify

The new version differs by 63 commits.

c16275f 1.5.1
c572ae3 chore: package only specific files
e9fe539 1.5.0
0555181 Fix the case where the generated source maps contains a null source content
289a910 Merge pull request [Snyk] Security upgrade karma from 0.12.37 to 5.0.8 #147 from terinjokes/greenkeeper-uglify-js-2.6.0
1814403 chore(package): update uglify-js to version 2.6.0
e3709af fix(createError): separate createError into own module
735e04d chore(format): use a consistent format
03c672a Merge pull request [Snyk] Fix for 2 vulnerabilities #140 from terinjokes/greenkeeper-istanbul-0.4.0
1a1325d chore(CI): add AppVeyor configuration
b4e8e53 chore(package): update istanbul to version 0.4.0
b646e2a Merge pull request [Snyk] Security upgrade karma from 0.12.37 to 5.0.8 #139 from terinjokes/greenkeeper-istanbul-0.3.22
5e00139 chore(CI): upload to coveralls in after_success
36bf554 chore(package): update istanbul to version 0.3.22
4f1c636 1.4.2
d4dbc41 chore(CI): add coveralls
2804b0e chore(dependencies): update dependencies
1f3bd5f Merge pull request [Snyk] Security upgrade karma from 0.12.37 to 0.13.0 #134 from zaygraveyard/fix-typo-in-tests
82abf51 Fix a typo in the sourcemap test
44cc797 chore(changelog): changelog was not commited
d82f8d4 1.4.1
557b4d2 fix(minifier): detect non-object options argument
f8412fd chore(travis-ci): test on Node 4.x
23639f3 1.4.0

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:ws:20160920	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Insecure Randomness