[Snyk] Fix for 32 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Server-side Request Forgery (SSRF) SNYK-JS-NETMASK-1089716	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Certificate Validation SNYK-JS-NODESASS-1059081	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-NUNJUCKS-1079083	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-OBJECTPATH-1017036	No	Proof of Concept
	494/1000 Why? Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-OBJECTPATH-1569453	No	No Known Exploit
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-PACRESOLVER-1564857	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	No	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-1023599	No	Proof of Concept
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-1072471	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-610226	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	No	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browser-sync

The new version differs by 149 commits.

• d7cdcec v2.26.14
• 783b741 v2.26.14-y.2
• 368f89e fix(deps): upgraded localtunnel to fix axios issue
• cbd2f34 v2.26.14-y.1
• 9ded19e v2.26.14-y.0
• 235ce22 publish scripts
• 9416fbf v2.26.14-alpha.1
• aacc59f v2.26.14-alpha.0
• bb035b4 chore(ci): trying to get reliable builds on appveyor
• 2320195 chore(deps): same version of socket.io-client everywhere
• b0e8538 updating deps
• f3d49ba chore: update scripts
• cdbcabd chore: apply prettier
• 148c151 chore: remove bootstrap
• 02175da chore: remove bootstrap
• 2fe13e0 chore: remove bootstrap
• da5ab89 chore: updated lock-file
• 5aca695 Merge pull request #1836
• 8ee49b1 fix: socket.io had a breaking change related to cors which broken the UI
• 35363e1 build(deps): bump socket.io in /packages/browser-sync
• 4acc350 chore: lock file differences
• 60498df Merge pull request #1796 from BrowserSync/dependabot/npm_and_yarn/node-fetch-2.6.1
• 8e4d802 Merge pull request #1786 from BrowserSync/dependabot/npm_and_yarn/packages/browser-sync-ui/elliptic-6.5.3
• 1cb50a4 Merge pull request #1787 from BrowserSync/dependabot/npm_and_yarn/packages/browser-sync-client/elliptic-6.5.3

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-nodemon

The new version differs by 36 commits.

• 7fcbc06 NPM audit. Closes #176.
• 5100088 Merge pull request #174 from JacksonGariety/dependabot/npm_and_yarn/diff-3.5.0
• 7c0c02e Merge pull request #173 from JacksonGariety/dependabot/npm_and_yarn/growl-1.10.5
• fe95e64 Merge pull request #172 from JacksonGariety/dependabot/npm_and_yarn/mixin-deep-1.3.2
• a8d4391 Merge pull request #171 from JacksonGariety/dependabot/npm_and_yarn/lodash-4.17.15
• 3b01d33 Bump diff from 1.0.8 to 3.5.0
• 5bd5530 Bump growl from 1.8.1 to 1.10.5
• c5f4120 Bump mixin-deep from 1.3.1 to 1.3.2
• f634d93 Bump lodash from 2.4.2 to 4.17.15
• 028d498 Version bump
• 5254572 Merge pull request #166 from spencerbeggs/master
• ef52e08 Merge pull request #164 from aal89/master
• 1916114 Removes event-stream module
• 0002c45 Remove yarn.lock
• 495afda Updates nodemon
• 8c46ee1 Added lock file and updated gitignore to include to lock file
• b7cd92d Updated nodemon dependency
• 54f8778 Removed event-stream
• 0e5bb86 Locked event-stream to v3.3.4
• 8ae135f Upgrade depends to avoid flatmap-stream
• b4234a3 Version bump
• 033c27b Merge pull request #159 from bennyn/patch-1
• 7ce2da0 Support Ctrl + C on Windows
• 1a31fa2 Update nodemon. Remove (erroneously named) "test" folder.

See the full diff

Package name: gulp-sass

The new version differs by 15 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 (#802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue (#776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times (#763)
• 7ab018e Migrate to the lodash package
• fa670c6 4.0.2
• fefa00e Revert package.json version bump
• 98254d2 Fix README typos
• 8a14419 Continue loading Node Sass by default
• 938afbe Add a note about synchronous versus asynchronous speed
• 7cc2db1 Make this package implementation-agnostic
• 643f73b Add documentation for synchronous code options

See the full diff

Package name: marked

The new version differs by 250 commits.

• ae01170 chore(release): 4.0.10 [skip ci]
• fceda57 🗜️ build [skip ci]
• 8f80657 fix(security): fix redos vulnerabilities
• c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
• d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (#2352)
• 5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (#2350)
• 2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (#2351)
• 98996b8 chore(deps-dev): Bump @ babel/preset-env from 7.16.5 to 7.16.7 (#2353)
• ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (#2354)
• e5171a9 chore(release): 4.0.9 [skip ci]
• 41990a5 🗜️ build [skip ci]
• a9696e2 fix: retain line breaks in tokens properly (#2341)
• 6aacd13 chore(deps-dev): Bump jasmine from 3.10.0 to 4.0.0 (#2343)
• 55e5df9 chore(deps-dev): Bump @ babel/core from 7.16.5 to 7.16.7 (#2344)
• 4f4cab4 chore(deps-dev): Bump eslint-plugin-import from 2.25.3 to 2.25.4 (#2345)
• 97ea9f2 chore(deps-dev): Bump eslint from 8.5.0 to 8.6.0 (#2346)
• 4c3b853 chore(deps-dev): Bump rollup-plugin-license from 2.6.0 to 2.6.1 (#2347)
• 9396896 chore(deps-dev): Bump rollup from 2.61.1 to 2.62.0 (#2338)
• 103a56c chore(deps-dev): Bump @ babel/preset-env from 7.16.4 to 7.16.5 (#2333)
• be771c9 chore(deps-dev): Bump eslint from 8.4.1 to 8.5.0 (#2334)
• 67d5a65 chore(deps-dev): Bump @ babel/core from 7.16.0 to 7.16.5 (#2335)
• 991493a chore(deps-dev): Bump eslint-plugin-promise from 5.2.0 to 6.0.0 (#2336)
• 59375fb chore(release): 4.0.8 [skip ci]
• 4734c82 🗜️ build [skip ci]

See the full diff

Package name: nunjucks

The new version differs by 77 commits.

• fd50090 Release v3.2.3
• d34fdbf Temporarily comment out codecov action
• cefad41 Replace README.md travis badge with github actions
• 7601ff4 Fixup github actions workflow file
• de9dc67 Add GitHub Workflow for tests. fixes #1333
• aa9e5b9 Fix prototype pollution security issue. fixes #1331
• f51afa3 Move chokidar to peerDependencies and make it optional via peerDependenciesMeta (#1329)
• f91f1c3 Fix `groupby` example formatting
• 7ef121c Add base and default args to int filter
• 0c02062 Use attribute getter for `sort` filter
• c7337e7 Release v3.2.2
• bea3a43 CHANGELOG: Fix issue link
• 8186d4f Don't append extra newline when using |indent filter
• 73a4eb3 Document `with context` behavior for `import` directive (fr)
• eea081c Document `with context` behavior for `import` directive
• bbcbaf3 Fix issue where sync render would not raise errors in included templates
• 63c4baf Remove development files from NPM package. Fixes #984
• 85918ef Document `if` statement with multiple conditions (fr). refs #1284
• 7ddd747 Document `if` statement with multiple conditions
• 1e29863 Add support for nested attributes in `groupBy` filter. Fixes #1198
• 7087fa9 Fix precompile bin TypeError: name.replace is not a function
• 1736334 Modify CHANGELOG message for select/reject filters
• 62565a1 Add `reject` filter
• 647fc11 Change version query

See the full diff

Package name: snyk

The new version differs by 250 commits.

• d7ebe15 Merge pull request #1093 from snyk/feat/bump-deps-to-use-patched-lodash
• c359e05 feat: patching vulnerable lodash with @ snyk/lodash
• 39a5284 Merge pull request #1092 from snyk/fix/app-os-cli
• 71ed530 fix: make sure branch exists
• c8b4b8e Merge pull request #1090 from snyk/feat/app-os-cli
• 4b969fd feat: adding target to container projects
• fccaaae feat: bump docker-plugin to use new format
• 2961d79 Merge pull request #1089 from snyk/feat/add-reachable-vulns-to-summary
• 3487ca5 feat: add reachable vulns to the `snyk test` summary line
• b1d0311 feat: include better user messages for reachable vuln
• d4db5fe chore: add call graph size to analytics
• 33fad1c Merge pull request #1079 from snyk/chore/upgrading-vuln-pkg
• 8df372e fix: cli-server, fake-server and their tests now support Restify v8
• b59f0b5 Merge pull request #1087 from snyk/feat/experimental-docker-archive
• 5e627c6 feat: enable experimental docker-archive scanning
• 3a383f0 Merge pull request #1085 from snyk/feat/update-opn-to-open
• 1474223 feat: switch to use 'open' since 'opn' is deprecated
• 0ca8676 Merge pull request #1086 from snyk/chore/fix-prettify
• 9882190 chore: fix prettify for analytics.js
• c728ada chore: lint
• 1e0f0d2 chore: Update Restify to V8
• 4836982 Merge pull request #1068 from snyk/feat/add-integration-name-to-analytics
• 6316140 Merge pull request #1084 from snyk/fix/bump-ruby-semver
• a3ea038 fix: bump ruby-semver to use min Node 8 instead of 10

See the full diff

Package name: standard

The new version differs by 250 commits.

• 866a666 package metadata
• 34a39d2 update authors
• 5a63a03 15.0.0
• 36cbcd8 changelog
• ab0e7a5 update deps
• 3d0ea44 eslint-config-standard-jsx 9.0.0
• 8c0513a eslint-config-standard 15.0.0
• c8c255c changelog
• 1af9b8a use "Indonesian" since it's the language name
• c0fd567 remove sponsor link
• b926ce2 remove spammy standard user link
• 1cc9df7 changelog
• 8e06e4f hallmark 3
• e4c002a bump deps
• 8bdade1 Merge pull request #1516 from pikadun/patch-1
• 0c27f99 Merge pull request #1544 from yoga1234/master
• 59b03fb Merge pull request #1461 from munierujp/update_japanese_docs
• fd72454 Merge pull request #1545 from logustra/add-jublia-to-users
• 1de7656 Merge pull request #1547 from kidonng/patch-1
• 6558034 add 14.3.4 changelog
• e1fa03e Update eslint to 7.11.0
• 4a0e8b0 changelog
• 4a84e61 remove weird whitespace
• 523f004 Merge pull request #1519 from standard/eslint7

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic