[Snyk] Fix for 23 vulnerabilities

[enterstudio]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: babel-eslint

The new version differs by 43 commits.

• 0f20099 5.0.0
• 278579f Update README.md
• 11c2f03 Merge pull request Validate status fields mozilla/platform-status#255 from deepsweet/npm-ignore
• 3b5f8f4 include only `index.js` in npm package
• c0f1110 delete `.npmignore`
• f399c89 Merge pull request Automatically check validity of *_ref fields when building mozilla/platform-status#250 from danez/patch-1
• c71392e adjust test to also cover issue Make resolved count reflect the status of the tracking bug mozilla/platform-status#239
• 413b80e 5.0.0-beta10
• 7a038d5 Merge pull request Show 'Complete' if the tracking bug is resolved mozilla/platform-status#246 from babel/escope-patterns
• c80a386 fixup tests
• 36f6638 fix typo
• bd4eee9 check using `__esModule`
• b26bc58 Prevent escope referencer from traversing into param pattern type annotations
• 0d30882 5.0.0-beta9
• 71fadf0 Merge pull request Add Web Speech Synthesis API. Fixes #243 mozilla/platform-status#244 from christophehurpeau/patch-1
• d8ac8f9 fix Add Web Speech Synthesis API to Firefox status mozilla/platform-status#243
• 3dcb32c 5.0.0-beta8
• ac4d3f0 Add a test for use strict and directive ast change
• 937eceb 5.0.0-beta7
• 880dc03 Merge pull request Add Shared Worker API mozilla/platform-status#241 from jmm/rule-strict
• 80f7a48 temporarily remove test
• 04838a2 Add tests for `strict` rule.
• 4a3a35d Merge pull request postcss-cssnext@2.3.0 breaks build 🚨 mozilla/platform-status#232 from vaibhavmule/patch-1
• 0cf92d3 update Licenses date

See the full diff

Package name: babelify

The new version differs by 6 commits.

• b06b778 8.0.0
• ea73917 Remove path-is-absolute devDep
• 02f97ec drop node 0.10/0.12, add peerDep on babel-core instead of dep, drop object-assign, add package-lock
• 6d45fa8 Explicitly test Node 4, 5 and 6 in travis
• 9944a55 Explain the double negatives a bit better (Show build results for the master branch mozilla/platform-status#197)
• d9e3029 babelify in quotes in example (Update eslint-config-airbnb mozilla/platform-status#198)

See the full diff

Package name: eslint

The new version differs by 250 commits.

• ff8c4bb 4.5.0
• 480bbee Build: changelog update for 4.5.0
• decdd2c Update: allow arbitrary nodes to be ignored in `indent` (fixes #8594) (#9105)
• 79062f3 Update: fix indentation of multiline `new.target` expressions (#9116)
• d00e24f Upgrade: `chalk` to 2.x release (#9115)
• 6ef734a Docs: add missing word in processor documentation (#9106)
• a4f53ba Fix: Include files with no messages in junit results (#9093) (#9094)
• 1d6a9c0 Chore: enable eslint-plugin/test-case-shorthand-strings (#9067)
• f8add8f Fix: don't autofix with linter.verifyAndFix when `fix: false` is used (#9098)
• 77bcee4 Docs: update instructions for adding TSC members (#9086)
• bd09cd5 Update: avoid requiring NaN spaces of indentation (fixes #9083) (#9085)
• c93a853 Chore: Remove extra space in blogpost template (#9088)
• 0d9da6d 4.4.1
• 1ea9a6c Build: changelog update for 4.4.1
• ec93614 Fix: no-multi-spaces to avoid reporting consecutive tabs (fixes #9079) (#9087)
• a113cd3 4.4.0
• 181bd46 Build: changelog update for 4.4.0
• 89196fd Upgrade: Espree to 3.5.0 (#9074)
• b3e4598 Fix: clarify AST and don't use `node.start`/`node.end` (fixes #8956) (#8984)
• 62911e4 Update: Add ImportDeclaration option to indent rule (#8955)
• de75f9b Chore: enable object-curly-newline & object-property-newline.(fixes #9042) (#9068)
• 5ae8458 Docs: fix typo in object-shorthand.md (#9066)
• c3d5b39 Docs: clarify options descriptions (fixes #8875) (#9060)
• 37158c5 Docs: clarified behavior of globalReturn option (fixes #8953) (#9058)

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-eslint

The new version differs by 55 commits.

• 1d79ed0 4.0.1
• 8f7e966 replace all HTTP protocols with HTTPS
• b48a04a remove deprecated gulp-util dependency (fix unbalanced tags in header mozilla/platform-status#213)
• 35eae57 update devDependencies (Remove standardization as a required field. mozilla/platform-status#207)
• 47bd269 use npx to simplify after_script
• 29dbab5 inherit autofix-related props even if `quiet` option is enabled
• a398838 4.0.0
• 18a4299 emit an error when it fails to load an ESLint plugin
• b8bf261 update ESLint from v3 to v4 (Update eslint-config-airbnb mozilla/platform-status#198)
• c0e82ce use `Buffer.from` instead of `new Buffer`
• e6c67a2 drop support for linting `Stream` contents
• 132d5cc Fix formatting issues in README.md (Update eslint-config-airbnb to version 1.0.2 🚀 mozilla/platform-status#194)
• 7f65378 remove link to config file `globals` doc
• 8ddfb84 correct the type of `globals` option in README
• 6059c22 3.0.1
• b0c2816 ensure sharable config works
• 08b9212 test the case where babel-eslint is actually useful
• eb98701 mock stream-mode vinyl files with from2-string
• bcd7736 fix invalid `envs` option
• 286b0c4 remove unused fixtures
• e2723e1 Remove unnecessary `object-assign` dependency
• 82c1949 3.0.0
• 97d8638 Remove invalid options in example code
• 505779d Remove option aliases

See the full diff

Package name: gulp-inline-source

The new version differs by 10 commits.

• c2a1776 chore: bump semantic release
• ef05833 feat: replace the deprecated gulp-util package
• 8f8007b test: add test for error throwing when trying to compress non-ES5 syntax
• 029107b test: fix failing tests
• 0b49856 feat: update to latest inline-source
• faf511d Work better with inline-source 5.2.0 ([Snyk] Fix for 1 vulnerabilities #31)
• ccf6775 ci: set up semantic-release
• 4124e07 Release 3.0.0
• bda8600 rm iojs and add latest node to travis.yml
• 175d39f upgrade to inline-source@5.0, closes [Snyk] Fix for 1 vulnerabilities #25

See the full diff

Package name: gulp-postcss

The new version differs by 15 commits.

• 9166fdb Release 7.0.1
• 0af46f5 Merge pull request Features description cleanup mozilla/platform-status#137 from ohbarye/drop-dependency-on-gulp-util
• 6f15b51 Drop dependency on gulp-util
• 3a1d0df Merge pull request Responsive design for TV mozilla/platform-status#126 from gucong3000/coverage
• 2748681 fix eslint error, add test case
• 355d90b add coverage report
• 2cb352f Release 7.0.0
• 8dd0235 Merge pull request Update babel-core to version 6.1.4 🚀 mozilla/platform-status#116 from postcss/postcss60
• 18e31d8 Use PostCSS 6.0 and drop node 0.12
• 96f6d24 Merge pull request Cache bugzilla queries. mozilla/platform-status#113 from gucong3000/eslint
• 7c5e513 npm install --save-dev mocha@3.3.0 sinon@2.2.0
• 2b319cb fix broke tests for node 0.12
• 4201543 add `eslint`
• dd03625 Merge pull request add Device Orientation mozilla/platform-status#112 from jorrit/patch-1
• 28e20ef Cleanup NPM package

See the full diff

Package name: gulp-uglify

The new version differs by 9 commits.

• e4f9045 2.0.0
• 566ec6a refactor(tests): write tests with mocha
• 5651111 refactor(tests): replace `cmem` with `testdouble`
• b82387b refactor(tests): compose streams with `mississippi` utilities
• 1232c3c fix(errors): emit errors of type `GulpUglifyError`
• 5632cee fix(minifer): use `gulplog` for the warning
• 8160697 feat(minifier): use UglifyJS 2.7.0's input map support
• 3ec8fc3 chore(package): update uglify-js to version 2.7.0
• a9c55b9 doc(README): spelling mistake in example

See the full diff

Package name: postcss-cssnext

The new version differs by 16 commits.

• 7730660 3.0.1
• 483b81f Fixed: specify the actual require peer dependency for caniuse database (caniuse-lite is used since latest caniuse-api latest major bump)
• 50557fa Fixed: bump dependencies not updated to PostCSS@6
• efb7100 Update babel config + some devDeps to be able to build website
• 69169ac update package-lock.json to 3.0.0
• 03b6017 3.0.0
• cf9fb19 Docs: fix chalk update issue
• b7d6ffd Merge pull request fetch-mock@4.3.1 breaks build ⚠️ mozilla/platform-status#400 from MoOx/postcss6-upgrade
• 1781dc7 Docs: Fix id of overflow wrap property in index (Build on heroku fails with "max number of clients reached" for redis mozilla/platform-status#393)
• 8b99180 Ensure a version of caniuse-db that includes css-image-set (More info in "embedded" feature pages mozilla/platform-status#380)
• db0f0fa Add a warning for custom property sets that are going to be removed + an option to hide the warning
• cc7c864 Change: support node4+ up to 8
• 7bb55c1 chore: add package-lock.json and yarn.lock files
• 20ae74d Change: upgrade to PostCSS 6
• af5f9c1 Change link to custom media queries specification
• 974e40b Fix PR link

See the full diff

Package name: postcss-import

The new version differs by 11 commits.

• 32470ed 9.0.0
• 7d9099c Merge branch 'v9-dev'
• 7124d43 BREAKING: Remove transform option (Automatically check validity of *_ref fields when building mozilla/platform-status#250)
• dfe4c23 Add warning message for deprecated addDependencyTo option (There are no warnings for invalid *_status fields mozilla/platform-status#251)
• 9fdde94 BREAKING: Rewrite imported file parsing
• 883669d Reorganize tests
• a15e402 Change resolve behavior (Shared Array Buffers bug is "NEW" and all the bugs it depends on are open, but we show it "Complete" mozilla/platform-status#249)
• 49cf9be Deprecate addDependencyTo
• dbb2f60 Add docs for dependency message
• 3352a37 BREAKING: File not found is an Error, not a Warning (Automatically deploy pull requests to heroku mozilla/platform-status#247)
• 0cf36ec BREAKING: Remove pkg-resolve as a dep (Add Web Speech Synthesis API to Firefox status mozilla/platform-status#243)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)