[Snyk] Fix for 31 vulnerabilities

[ebarahona]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Arbitrary File Overwrite SNYK-JS-FSTREAM-174725	Yes	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	Yes	Proof of Concept
	703/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	No	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary File Overwrite SNYK-JS-TAR-174125	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	No	Proof of Concept
	711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Uninitialized Memory Exposure npm:atob:20180429	Yes	Mature
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:cryptiles:20180710	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution npm:deep-extend:20180409	No	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:sshpk:20180409	Yes	Proof of Concept
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Yes	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browser-sync

The new version differs by 147 commits.

• 2b55728 v2.26.9
• 2bf8812 v2.26.8
• 0f3cc0b fix: npm audit fixes (root)
• ba1f09f fix: npm audit fixes
• d89252a Merge pull request #1749 from ProLoser/securityFix
• df81272 Merge pull request #1771 from tolulawson/master
• 64f87b9 Merge pull request #1768 from fozzleberry/bump-http-proxy-1.18.1
• 43dc459 Merge pull request #1725 from nitinbansal1989/master
• 894d031 -- Corrected codesync tagline
• 0667104 used correct syntax on bump
• 938e611 bumped node engines to >= 8.0.0
• 20a0334 bumped http proxy to >=1.18.1
• c103029 Security fix for #1649
• 864c9f1 upgrade chokidar version
• 2191369 v2.26.7
• 53f9b36 docs: readme
• 0b3d98b v2.26.6
• fdfc681 tests: add e2e tests to package.json
• c56cfd9 Merge pull request #1698 from emeitch/fix_deprecated_header
• 2fd598f Merge pull request #1690 from XhmikosR/xmr-ci
• 841ccd5 Merge pull request #1694 from coliff/patch-1
• 209c9c1 Merge pull request #1697 from gaards/update-localtunnel
• 87bee4b Use getHeaders or _headers
• 77abfd3 Update localtunnel

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-autoprefixer

The new version differs by 10 commits.

• d008588 4.1.0
• 27816c3 Meta tweaks
• 94f3447 Drop dependency on deprecated gulp-util ([Snyk] Fix for 1 vulnerabilities #94)
• 60aead3 Test against Node.js v8 ([Snyk] Fix for 1 vulnerabilities #90)
• 5188604 4.0.0
• 04814b7 Rewrite tests to use AVA
• 7df69ba ES2015ify, bump postcss, require Node.js 4
• 0a92d79 Update to Autoprefixer 7 ([Snyk] Fix for 1 vulnerable dependencies #80)
• cd022c8 Fix tests
• 90f8f7c Improve the tip ([Snyk] Fix for 1 vulnerable dependencies #75)

See the full diff

Package name: gulp-babel

The new version differs by 3 commits.

• f1685be v7.0.1
• dcd652e Fix: Drop dependency on `gulp-util`
• 6cb45a1 add babel-core dep install [skip ci]

See the full diff

Package name: gulp-flatten

The new version differs by 5 commits.

• 0119b8c new verstion with dropped deprecated deps
• 14b1908 tests now passes on node 9.x.x
• fc2e3f9 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #15 from TheDancingCode/issue-14
• bff1212 Drop dependency on deprecated `gulp-util`
• 8a83216 exapmple output fix

See the full diff

Package name: gulp-iconfont

The new version differs by 41 commits.

• 3d935c1 Release v11.0.0
• 1a5b6f4 Merge pull request [Snyk] Security upgrade browser-sync from 2.23.3 to 2.27.11 #187 from nfroidure/gulp-ttf2woff2
• ae4bd62 Do not publish .github
• 3643cc6 Require Node 12+
• 5f22074 Update [email protected]
• 7507aee Merge pull request [Snyk] Security upgrade express from 4.16.2 to 4.17.3 #186 from nfroidure/actions
• 4c81f3b Update CI badge in README.md
• eb6a935 Remove .travis.yml
• 10deed6 Increase timeout on async test
• 7545acc Run on ubuntu-latest
• e2fd250 Do not reinstall packages already installed
• 6bef293 Copy install script from Dockerfile
• b60a2f6 Use GitHub Actions for CI
• 0a5245d Merge pull request [Snyk] Fix for 1 vulnerabilities #177 from nfroidure/travis
• b85eb5b Run CI on Ubuntu 14.04
• 6067b8f Merge pull request [Snyk] Security upgrade gulp.spritesmith from 6.9.0 to 6.13.0 #176 from nfroidure/readme
• 195dd04 Fix formatting in README.md
• d751ba6 10.0.3
• b0e8399 Merge pull request [Snyk] Fix for 2 vulnerabilities #175 from pioug/master
• ed9dae2 Add support for Node.js 11/12
• 47cde1a 10.0.2
• a4a2b5e updated dependencies
• 0819325 10.0.1
• cb86fe2 Use multipipe instead of plexer: no need for explicit error handling, simpler code.

See the full diff

Package name: gulp-iconfont-css

The new version differs by 28 commits.

• 6901627 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #67 from backflip/feature/cleanup
• 9cfefa1 Remove gulp-util, bumped engine
• ef1af81 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #66 from backflip/feature/add-sass-template
• 52dfca9 Updated README
• 693f927 Added sass file to config and tests
• 46ddc99 adds sass template
• 79a0107 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #65 from backflip/feature/event-stream
• 00e8ff0 Locked event-stream to 3.3.4 due to vulnerability in newer versions
• d71d872 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #64 from backflip/feature/travis
• d0e9882 Updated code, dependencies and tests
• bdf485f Removed lock file
• 347fcd8 Updated Travis config
• 332e274 Added lock file to gitignore
• 98fbc78 Merge pull request [Snyk] Fix for 7 vulnerable dependencies #63 from FeliceC/master
• bebd036 removed deprecated gulp-utill
• 8a7bae3 Updated new test file for alias config
• 115fb8a Merge branch 'master' of https://github.com/backflip/gulp-iconfont-css
• 70bead4 Merge pull request [Snyk] Fix for 7 vulnerable dependencies #57 from bradrisse/master
• 0e040b4 2.2.0
• 8569024 Merge branch 'master' into master
• ba8f742 Rename aliasRoot to originalFileName
• 3330d4b Merge pull request [Snyk] Fix for 1 vulnerable dependencies #42 from mrtbld/feature/cachebusting
• 1f34898 Aliases option
• e150150 fixup! Add cache buster config option

See the full diff

Package name: gulp-less

The new version differs by 4 commits.

• 7d9df97 4.0.0
• cde149b Update accord to support [email protected] - closes Version 10 of node.js has been released Gottwik/Enduro#269
• 453625a 3.5.0
• d706f87 fix(deps): update accord to version 0.28 (Can't reopen existing project Gottwik/Enduro#281)

See the full diff

Package name: gulp-sass

The new version differs by 38 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 (#802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue (#776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times (#763)
• 7ab018e Migrate to the lodash package
• fa670c6 4.0.2
• fefa00e Revert package.json version bump
• 98254d2 Fix README typos
• 8a14419 Continue loading Node Sass by default
• 938afbe Add a note about synchronous versus asynchronous speed
• 7cc2db1 Make this package implementation-agnostic
• 643f73b Add documentation for synchronous code options
• 0b3c7e7 4.0.1
• daca90d Merge pull request #681 from DKvistgaard/master
• 71471c2 Declaring logError as function instead of arrow function.
• 450a7b8 4.0.0
• e9b1fe8 Fix node versions in appveyor.yml
• 44be409 Merge pull request #667 from dlmanning/next
• 7656eff Adopt airbnb eslint preset
• 1293169 Bump autoprefixer@^8.1.0, gulp-postcss@^7.0.1
• 9fa817b Bump gulp-sourcemaps@^2.6.4

See the full diff

Package name: gulp-sourcemaps

The new version differs by 21 commits.

• 2bcfcbb 3.0.0
• d8bed0c Merge pull request #373 from adrian3d/update/doc-gulp-4
• 5686db3 Merge pull request #380 from kennyr87/gh-378/upgrade-css
• 2c66b2c Depdenency: Upgrade css to v3.0.0
• 9a9289b Breaking: Drop Node <6 support & upgrade identity-map which uses changes CSS sourcemaps (#376)
• 11d1e31 Update doc to gulp 4
• bd0aeb0 Docs: Temporarily point at phated/gulp-sourcemaps for AppVeyor badge
• 7e69e97 Build: Ensure tests pass on Windows
• 404eb5b Docs: Update badges
• 8a22ecc Scaffold: Convert repository to use gulp patterns (closes #357) (#367)
• 06cf0f0 2.6.5
• 8f68c5f Merge pull request #366 from gulp-sourcemaps/issue-363
• 178b1b7 issue-363: trying to get to 100% coverage again
• 3286f8f fixing older node code for es5
• 27e4c8b fixing linting errors
• 1de522e cleaning things up to get coverage up
• 01c802f issue-363: cleaned up commentFormatter code to handle css correctly on preExisting
• 5a99012 Use proper comment format for css with pre-existing comment.
• 492d937 2.6.4
• 6a037bf Merge pull request #344 from gormac/master
• fcf64d8 Prevent update to source-map 0.7.0

See the full diff

Package name: gulp-uglify

The new version differs by 9 commits.

• e4f9045 2.0.0
• 566ec6a refactor(tests): write tests with mocha
• 5651111 refactor(tests): replace `cmem` with `testdouble`
• b82387b refactor(tests): compose streams with `mississippi` utilities
• 1232c3c fix(errors): emit errors of type `GulpUglifyError`
• 5632cee fix(minifer): use `gulplog` for the warning
• 8160697 feat(minifier): use UglifyJS 2.7.0's input map support
• 3ec8fc3 chore(package): update uglify-js to version 2.7.0
• a9c55b9 doc(README): spelling mistake in example

See the full diff

Package name: gulp-watch

The new version differs by 7 commits.

• 80cd83e 5.0.1
• 6fe8912 Replace deprecated gulp-util (Assets in _generated in culture folders Gottwik/Enduro#303)
• 959128a 5.0.0
• 9208d48 Bump chokidar to ^2.0.0
• 02bd06d Update to newest vinyl for gulp 4 support (An in-range update of tar is breaking the build 🚨 Gottwik/Enduro#296)
• 4ced696 Add Node.js 9 and increase timeout to 5 secs
• aa8146f Remove unsupported versions of Node.js

See the full diff

Package name: gulp-wrap

The new version differs by 3 commits.

• a3f35ac Bumping to 0.14.0 for fix [Snyk] Fix for 8 vulnerable dependencies #40
• 056b43e Merge pull request [Snyk] Fix for 8 vulnerable dependencies #40 from TheDancingCode/issue-39
• 1450c91 Drop dependency on deprecated `gulp-util`

See the full diff

Package name: npm

The new version differs by 250 commits.

• 3b4ba65 7.0.0
• bbfc75d chore: fix weird .gitignore thing that happened somehow
• 8a2d375 docs: changelog for v7.0.0
• 365f2e7 [email protected]
• fafb348 [email protected]
• 9306c68 [email protected]
• 569cd64 [email protected]
• ac9fde7 Integration code for @ npmcli/[email protected]
• 704b9cd @ npmcli/[email protected]
• 3955bb9 [email protected]
• da240ef fix: patch config.js to remove duplicate values
• 9ae45a8 [email protected]
• 41ab36d [email protected]
• c474a15 [email protected]
• efc6786 fix: make sure publishConfig is passed through
• 1e4e6e9 docs: v7 using npm config refresh
• 5c1c2da fix: init config aliases
• 5bc7eb2 docs: v7 npm-install refresh
• 1a35d87 7.0.0-rc.4
• 7a5a557 docs: changelog for v7.0.0-rc.4
• f0cf859 chore: dedupe deps
• 0273745 [email protected]
• 7bd47ca @ npmcli/[email protected]
• 9320b8e only escape arguments, not the command name

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn