[Snyk] Fix for 23 vulnerabilities

[baby636]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	651/1000 Why? Mature exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANGULAR-2772735	Yes	Mature
	531/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.2	Cross-site Scripting (XSS) SNYK-JS-ANGULAR-2949781	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANGULAR-3373044	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANGULAR-3373045	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANGULAR-3373046	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-DOTPROP-543489	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTMLMINIFIER-3091181	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:timespan:20170907	Yes	No Known Exploit
	324/1000 Why? Has a fix available, CVSS 2.2	Uninitialized Memory Exposure npm:utile:20180614	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @commitlint/cli

The new version differs by 250 commits.

• 71f0194 v9.0.0
• 5bb6907 docs(readme): add install husky example (#1699)
• 0f0f95a chore: update dependency typescript to v3.8.2 (#1002)
• 890df29 chore: update dependency @ types/node to v12.12.28 (#1001)
• 6c9ab78 chore: update dependency @ types/jest to v25.1.3 (#1000)
• 882e292 chore: update dependency ts-jest to v25.2.1 (#999)
• c3eb1a7 fix: ignore empty commit messages #615 (#676)
• 8b394c9 feat(config-conventional): footer/body-max-line (#436)
• 4443062 feat: add async promise based rules methods into lint (#976)
• 89168b8 chore: update typescript-eslint monorepo to v2.20.0 (#998)
• 9d14792 chore: update dependency husky to v4.2.3 (#996)
• 4ee307a fix: update dependency semver to v7.1.3 (#995)
• c7cfe37 chore: remove unused configs (#991)
• 0404c7d chore: update dependency @ types/node to v12.12.27 (#994)
• 34c11b8 fix: incorrect use of when in getForcedCaseFn (#993)
• 6f80f70 chore: align required globby between packages (#992)
• f379dcc refactor: replace lodash/omit with spread (#988)
• d5c601f test: add missing test cases for ensure and is-ignored (#987)
• ec4af58 docs: update node version support (#986)
• f74e036 chore: upgrade execa to 3.4.0 (#984)
• c49a57c feat: passdown argv to lint command (#891)
• 01c451c test(config-lerna-scopes): add regression tests (#979)
• 21a91e7 test: eslint setup (#981)
• f88f00d fix(config-lerna-scopes): correct lerna in peerDependencies (#980)

See the full diff

Package name: angular-ui-router

The new version differs by 250 commits.

• 1b34e08 chore(docs): Add publishdocs script
• 4cdc307 chore(release): Fix artifacts uploda script
• ea443d8 Release 1.0.0
• 7018915 chore(build): bump core to 5.0.1
• 4539e4a chore(travis): Fix travis
• 74338aa chore(package): Rename angular-ui-router vestiges to @ uirouter/angularjs
• 4919a3a Prep for @ uirouter/angularjs release 1.0.0
• 07c9136 sq
• 043be3e sq
• dd26d49 feat(core): Add UMD bundle adapter for @ uirouter/core
• a26ed81 chore(migrate): Add migration warning on install
• 8d62b0d chore(core): Switch from ui-router-core to @ uirouter/core
• af0b8d4 chore(*): artifact tagging script
• 7a086ee fix(uiCanExit): Only process uiCanExit hook once during redirects
• 8fe5b1f fix(view): Allow targeting nested named ui-view by simple ui-view name
• ec6e5e4 fix(noImplicitAny): move noimplicitany compliance test file to correct location
• df6ee24 fix(onEnter): Fix typescript typing for onEnter/onRetain/onExit
• 4559c32 fix(routeToComponent): Bind resolves that start with data- or x-
• 8e7386b chore(typescript): Add noImplicitAny compliance check in `test` script
• 60e7407 chore(travis): bump travis node requirement
• b4863cf chore(ISSUE_TEMPLATE): create issue template
• a04674c chore(ISSUE_TEMPLATE): create issue template
• 7573156 fix(views): Better validation of view declarations (throw when there are state-level and view-level conflicts)
• 66103fc fix(views): Allow same views object to be reused in multiple states

See the full diff

Package name: css-loader

The new version differs by 146 commits.

• 634ab49 chore(release): 2.0.0
• 6ade2d0 refactor: remove unused file (#860)
• e7525c9 test: nested url (#859)
• 7259faa test: css hacks (#858)
• 5e6034c feat: allow to filter import at-rules (#857)
• 5e702e7 feat: allow filtering urls (#856)
• 9642aa5 test: css stuff (#855)
• 3338656 fix: reduce number of require for url (#854)
• 533abbe test: issue 636 (#853)
• 08c551c refactor: better warning on invalid url resolution (#852)
• b0aa159 test: issue #589 (#851)
• f599c70 fix: broken unucode characters (#850)
• 1e551f3 test: issue 286 (#849)
• 419d27b docs: improve readme (#848)
• d94a698 refactor: webpack-default (#847)
• b97d997 feat: schema options
• 453248f fix: support module resolution in composes (#845)
• 8a6ea10 refactor: postcss plugins (#844)
• fdcf687 fix: url resolving logic (#843)
• 889dc7f feat: allow to disable css modules and disable their by default (#842)
• ee2d253 test: importLoaders option (#841)
• 1dad1fb feat: reuse postcss ast from other loaders (i.e `postcss-loader`) (#840)
• fe94ebc test: icss reserved keywords (#839)
• 9eaba66 refactor: migrate on message api for postcss-icss-plugin (#838)

See the full diff

Package name: forever

The new version differs by 38 commits.

• b2120f9 Remove utile (#1099)
• 071cc04 Update changelog
• c1bcbff Remove dependency on broadway (#1098)
• 3586afe Prepare 3.0.1 for release
• 67cc950 Prepare 3.0.1 for release
• 877d93a Replaced optimist with yargs (#1093)
• a36330a Update forever-monitor (#1081)
• 0c5d32a Update dependencies and test Node 14 (#1080)
• 9e85c59 Fix argument type of fs.writeFileSync (#1075)
• 58eb131 Add CLI test for starting/stopping from a directory with space (#1068)
• 437ca4a Remove unnecessary path-is-absolute dependency (#1062)
• 8f739b0 Execute Mocha tests (#1054)
• ceb235c Update changelog
• 008766f Add linting (#1053)
• a5b97ae add '--version' to help text (#1041)
• 3c09b6f Update async to 1.x.x (#1052)
• c551947 Update async (#1051)
• dda79a6 Update dependencies (#1050)
• 70259bc Drop support for Node < 6 (#1049)
• 8b41d16 Bump version in package-lock.json
• 2f6d4e0 Only publish necessary files
• 067c758 Bump version to 1.0.1, update changelog
• bce5991 Update forever-monitor (#1047)
• 0ef5100 Fix CI (#1048)

See the full diff

Package name: gulp-minify

The new version differs by 12 commits.

• a2bc653 chore:bump to 3.0
• dd95e88 doc: add badge
• 50bd987 Upgrade dependent module and add test case ([Snyk] Security upgrade @angular-devkit/build-angular from 0.11.4 to 0.1000.0 #45)
• 3c4eb85 Upgrade to support 3.x.x versions of Gulp. ([Snyk] Fix for 1 vulnerabilities #44)
• fb84eb3 replaced deprecated gulp-util ([Snyk] Security upgrade @angular-devkit/build-angular from 0.11.4 to 0.800.0 #34)
• eeda4cf chore:bump to 2.1.0
• 4e49b2d Fix source map not being generated ([Snyk] Security upgrade @angular-devkit/build-angular from 0.11.4 to 13.0.0 #32)
• 731b915 doc: update doc
• 45f2a79 fix: create a es5 tag for the earlier language versions ([Snyk] Security upgrade npm from 6.4.1 to 7.0.0 #30)
• e23bf88 chore:bump to 1.0.0
• 73646f8 Changed to use uglify-es, the new version of uglify with support to ES6 ([Snyk] Security upgrade protractor from 5.4.2 to 6.0.0 #26)
• ec17944 chore:bump to 0.0.15

See the full diff

Package name: html-loader

The new version differs by 93 commits.

• d7cccfa chore(release): 1.0.0
• 3c9a1d8 refactor: `attributes` option (#265)
• 8c73761 feat: `preprocessor` option (#263)
• f2ce5b1 feat: improve errors
• 9923244 chore(deps): update (#260)
• 9835bde feat: supports `link:href` attribute for css (#258)
• 7af2eff refactor: improve schema (#257)
• 98412f9 docs: `filter` sources (#256)
• ff0f44c feat: implement the `filter` option for filtering some of sources (#255)
• 1c24662 refactor: move the `root` option under the `attributes` option (#254)
• 888b8fe docs: add footnote for `-attributes` (#252)
• 3d2907e refactor: remove the `interpolate` option
• bd979e2 refactor: remove the `interpolate` option
• fcba4ec fix: handle only valid srcset tags (#253)
• 9e5ce56 perf: improve source parse (#251)
• c9c8dad refactor: improve source parse (#250)
• 079d623 fix: respect `#hash` in sources
• a17df49 fix: reduce `import`/`require` count
• d0b0150 fix: adding quotes when necessary for unquoted sources (#247)
• e3727ab test: minifier
• 0bbe29c feat: migrate on `htmlparse2`
• b7af031 fix: escape `\u2028` and `\u2029` characters (#244)
• 24b0427 fix: parser tags and attributes according spec (#243)
• 3df909d feat: support `script:src` attributes

See the full diff

Package name: html-to-text

The new version differs by 88 commits.

• cc4d026 Version bumped 5.1.0
• 30c5556 Remove hardcoded CLI options ([Snyk] Security upgrade express from 4.16.4 to 4.21.2 #173)
• 14c7475 README updated
• fc487c9 Dependency on fs module removed ([Snyk] Security upgrade axios from 0.18.0 to 1.7.8 #171)
• b642ec7 Added tests for the cli arguments ([Snyk] Fix for 71 vulnerabilities #153)
• 4e6127d prepublish script added
• d1e3077 Changelog updated
• ac0e63b Potential security vulnerability fixed
• 8f8a5c8 Merge branch 'jstewmon-fix-href-anchors'
• 5781f8a Closed [Snyk] Security upgrade bootstrap from 4.3.1 to 5.0.0 #148
• 3540426 Merge branch 'master' of github.com:werk85/node-html-to-text
• d561095 Version bumped to 4.0.0. package-lock.json added. README updated.
• 655a754 Supports format blockquote ([Snyk] Security upgrade bootstrap from 4.3.1 to 5.0.0 #142)
• 1a3d878 Drop support for Node.js < 4; switch from underscore to lodash ([Snyk] Security upgrade webpack from 4.26.0 to 5.94.0 #150)
• b5d0ea1 customizable ul li item prefix ([Snyk] Fix for 1 vulnerabilities #140)
• fc503dc take a stance on semicolons
• 912536a fix: html entities in hrefs should not trigger noAnchorUrl
• 1dbebe1 Fix docs typo ([Snyk] Security upgrade bootstrap from 4.3.1 to 5.0.0 #146)
• 019f45e chore(package): update chai to version 4.0.1 ([Snyk] Fix for 2 vulnerabilities #133)
• 76b1a89 Version bumped to 3.3.0. Readme updated.
• 5419826 Implement ol type="i" and "I" as fallbacks to "1", add option to not render anchor links. ([Snyk] Security upgrade gulp from 4.0.0 to 5.0.0 #123)
• 2ac2830 Ability to pass custom formatting via the `format` option ([Snyk] Fix for 2 vulnerabilities #128)
• 8782c3d Changelog fixed. Version bumped to 3.2.0
• 00f63b1 Changelog updated for Version 3.2.0

See the full diff

Package name: less

The new version differs by 45 commits.

• e4f7551 v3.12.0
• 371185c v3.12.0-RC.2 (#3540)
• d5aa9d1 Fixes #3371 Allow conditional evaluation of function args (#3532)
• a722237 Remove lib folder from git (#3531)
• e0f5c1a Move changelog to root (#3530)
• f7bdce7 Duplicate dist files in root for older links (#3529)
• 0925cf1 Test-data module (#3525)
• 51fb02b Fixes #3504 / organizes tests (#3523)
• efb76ec Restore nuked scripts (?), replace dependencies (#3501) (#3522)
• 2c5e4dd Lerna refactor / TS compiling w/o bundling (#3521)
• a3641e4 Resolve #3398 Add flag to disable sourcemap url annotation (#3517)
• e018ba8 fix(#3294): use loadFileSync when loading plugins with syncImport: true (#3506)
• 95b9007 Update changelog
• 6238bbc Fixes #3508 (#3509)
• 8338366 Update README.md
• 6313bc5 Update changelog
• 53bf877 Remove tree caching in import manager (#3498)
• 0f271f3 issue#3481 ignore missing debugInfo (#3482)
• 3bd995b Additional check to avoid evaluating an expression if it is a comment (#3494)
• 0715d90 fix: Use make-dir instead of mkdirp (#3490)
• 2634494 Properly exit calc mode after use (#3493)
• 096dd22 Convert to auto-changelog (#3477)
• 842386b Fixes #3469 - Include tslib dependency (#3475)
• 1adaadb 3.11.0 (#3468)

See the full diff

Package name: medium-editor-insert-plugin

The new version differs by 10 commits.

• a5c31c8 v2.5.1
• c09b0ad docs: add keligijus as a contributor (#491)
• 21719df perf: Use object url for image previews (#487)
• 36b7b94 chore: add contributors to readme (#490)
• e11e013 chore: update dependencies (#488)
• 4b2a314 Merge pull request #484 from jerinisready/patch-1
• 6738e09 Update README.md
• a02dfad Merge pull request #473 from pressblog/update-npm-grunt-autoprefixer
• de1d23d update grunt-autoprefixer
• 723960d update npm and add package-lock.json

See the full diff

Package name: minify

The new version differs by 58 commits.

• 201d62f chore(package) v6.0.0
• 5ebeb3b docs(readme) simplify example: ^D -> EOT ([Snyk] Security upgrade @angular-devkit/build-angular from 0.11.4 to 0.13.0 #58)
• 092b179 chore(putoutcache) rm
• 717fe62 feature(package) drop support of node < 12
• 29f49a7 chore(travis) rm node v 10
• 4c99ae3 feature(minify) html-minifier -> html-minifier-terser ([Snyk] Security upgrade moment from 2.22.2 to 2.29.4 #59)
• d022ae6 feature(package) eslint-plugin-putout v5.1.1
• 75ba104 chore(package) v5.2.0
• 92c36b5 chore(package) nyc: ignore .*
• 7d77c1b feature(package) terser v5.3.2
• 6b94a1d feature(package) putout v10.0.1
• ee43277 feature(package) madrun v7.0.4
• bf03bcb Fixed typo in try-to-catch link ([Snyk] Fix for 1 vulnerabilities #57)
• 6a2d9fd chore(package) nyc config
• 85b55e8 docs(readme) added more clarification ([Snyk] Security upgrade jquery from 3.3.1 to 3.5.0 #53)
• f22e523 chore(travis) lint
• 1703c79 feature(package) supertape v2.0.1
• 4e2d39c feature(package) eslint v7.0.0
• ed65e1a feature(package) madrun v6.0.1
• 663d27e feature(package) eslint-plugin-putout v4.0.2
• b162451 feature(package) putout v8.3.0
• 01ce244 chore(travis) node v14
• 1af7c37 chore(package) v5.1.1
• c840d79 feature(package) try-to-catch v3.0.0

See the full diff

Package name: npm

The new version differs by 250 commits.

• 3b4ba65 7.0.0
• bbfc75d chore: fix weird .gitignore thing that happened somehow
• 8a2d375 docs: changelog for v7.0.0
• 365f2e7 [email protected]
• fafb348 [email protected]
• 9306c68 [email protected]
• 569cd64 [email protected]
• ac9fde7 Integration code for @ npmcli/[email protected]
• 704b9cd @ npmcli/[email protected]
• 3955bb9 [email protected]
• da240ef fix: patch config.js to remove duplicate values
• 9ae45a8 [email protected]
• 41ab36d [email protected]
• c474a15 [email protected]
• efc6786 fix: make sure publishConfig is passed through
• 1e4e6e9 docs: v7 using npm config refresh
• 5c1c2da fix: init config aliases
• 5bc7eb2 docs: v7 npm-install refresh
• 1a35d87 7.0.0-rc.4
• 7a5a557 docs: changelog for v7.0.0-rc.4
• f0cf859 chore: dedupe deps
• 0273745 [email protected]
• 7bd47ca @ npmcli/[email protected]
• 9320b8e only escape arguments, not the command name

See the full diff

Package name: ts-loader

The new version differs by 40 commits.

• 218718a drop support for < node 8 and republish 5.4.6 as 6.0.0 (#930)
• 9946fbc v5.4.6
• e13bee2 Update dependencies (#928)
• a6572ce internal: remove usage of hand crafted webpack typings (#927)
• 48626a9 add common appendTsTsxSuffixesIfRequired function to instance (#924)
• 0fd623f add node12 to travis build (#925)
• 77b8471 prepare 5.4.3 release
• 381a6a9 more .npmignore
• 3f8316a don't publish anything but ts-loader (#923)
• ea2fcf9 resolveTypeReferenceDirective support for yarn PnP (#921)
• 4692a22 ts 3.4 tests (#916)
• dc1dda8 edited broken link in README.md (#915)
• c1f3c4e update example (#912)
• 4a8df76 Feature/3.3 tests (#903)
• 58505c4 drop fast-incremental-builds example (#901)
• 4354cf8 fixed name of fork-ts-checker-webpack-plugin (#900)
• 4551893 there's way too many examples (#899)
• c9b1f31 add probot-stale https://github.com/probot/stale
• 92a2de9 Merge pull request #898 from TypeStrong/example-for-mcolyer
• ff9bc37 example of filter issue for @ mcolyer
• ba6f5c4 Merge pull request #884 from zerdos/master
• 92f0d70 migrate large comparison test to be execution test (#896)
• df04a56 release event not available so use push event and filter (#893)
• 177a985 add first github action! (#891)

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request #11603 from MayaWolf/master
• 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request #11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request #11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request #11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-...