[Snyk] Fix for 26 vulnerabilities

[ik226]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTMLMINIFIER-3091181	Yes	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: css-loader

The new version differs by 80 commits.

• 634ab49 chore(release): 2.0.0
• 6ade2d0 refactor: remove unused file (#860)
• e7525c9 test: nested url (#859)
• 7259faa test: css hacks (#858)
• 5e6034c feat: allow to filter import at-rules (#857)
• 5e702e7 feat: allow filtering urls (#856)
• 9642aa5 test: css stuff (#855)
• 3338656 fix: reduce number of require for url (#854)
• 533abbe test: issue 636 (#853)
• 08c551c refactor: better warning on invalid url resolution (#852)
• b0aa159 test: issue #589 (#851)
• f599c70 fix: broken unucode characters (#850)
• 1e551f3 test: issue 286 (#849)
• 419d27b docs: improve readme (#848)
• d94a698 refactor: webpack-default (#847)
• b97d997 feat: schema options
• 453248f fix: support module resolution in composes (#845)
• 8a6ea10 refactor: postcss plugins (#844)
• fdcf687 fix: url resolving logic (#843)
• 889dc7f feat: allow to disable css modules and disable their by default (#842)
• ee2d253 test: importLoaders option (#841)
• 1dad1fb feat: reuse postcss ast from other loaders (i.e `postcss-loader`) (#840)
• fe94ebc test: icss reserved keywords (#839)
• 9eaba66 refactor: migrate on message api for postcss-icss-plugin (#838)

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-babel

The new version differs by 4 commits.

• 8e6fa78 7.0.0
• 8afcd30 make babel-core a peerDep, similar to babel-loader (Show notifications of users applied/updated, donations, delivery route changed freeCodeCamp/pantry-for-good#122)
• 744f633 7.0.0-alpha.18
• 21bf286 Babel 7 alpha (fix questionnaire validation freeCodeCamp/pantry-for-good#112)

See the full diff

Package name: html-webpack-plugin

The new version differs by 196 commits.

• eb73905 chore(release): 4.0.0
• 42a6d4a Add typing for getHooks
• a1a37cf Release html-webpack-plugin 4.0.0-beta.14
• 97f9fb9 fix: load script files before style files files in defer script loading mode
• e97ce17 Release html-webpack-plugin 4.0.0-beta.13
• e448b5d Release html-webpack-plugin 4.0.0-beta.12
• de315eb feat: Add defer script loading
• 7df269f feat: Provide a verbose error message if html minification failed
• 1d66e53 feat: merge templateParameters with default template parameters
• dfb98e7 Fix typo in template option docts
• 096a760 Fix broken links in examples
• a195c34 docs: Update template-option documentation
• 40b410e docs: Update example for template parameters
• bf017f3 chore: Release 4.0.0-beta.11
• 2549557 test: Don't use minification for speed measurement
• de22fc2 test: Adjust measurment for node 6 on travis
• 24bf1b5 fix: Update references to html-minifier
• f4eafdc chore: Release 4.0.0-beta.10
• a2ad30a refactor: Use getAssetPath instead of calling the hook directly
• 2595a79 chore: Release 4.0.0-beta.9
• c66766c feat: Add support for minifying inline ES6 inside html templates
• 655cbcd Fix README typo
• 6de319b update lodash dependency for prototype polution vulnerability
• 35a1541 Properly encode file names emitted as part of URLs.

See the full diff

Package name: juice

The new version differs by 72 commits.

• a628051 v7.0.0
• 5d89c6e Merge pull request how do I recreate the fb-dev database?  freeCodeCamp/pantry-for-good#368 from TrySound/upgrade-web-resource-inliner
• ef3a266 Merge pull request Add the displaying of password errors on the signup page freeCodeCamp/pantry-for-good#369 from TrySound/published-files
• 335ed19 Publish only necessary files in package
• 3ec34d3 Upgrade web-resource-inliner
• 56e8fbc Merge pull request fix issue in test "admins can set other users as admins"  freeCodeCamp/pantry-for-good#367 from TrySound/upgrade-commander
• 1dac1f4 Upgrade commander
• 1f82379 Merge pull request Fix error 'unathorized' while an user tries to get the food list freeCodeCamp/pantry-for-good#366 from TrySound/upgrade-cheerio
• 4178da6 Upgrade typescript
• 0ea9842 Upgrade to cheerio v1
• ec41c65 Merge pull request Add Customer Name to Packed Packages List freeCodeCamp/pantry-for-good#352 from hansottowirtz/support-htmlparser2
• f55f820 Merge pull request "Password should be longer" should be displayed to the user, in case, while trying to register a new membership freeCodeCamp/pantry-for-good#364 from TrySound/drop-deep-extend
• 7116879 Replace deep-extend with nested Object.assign
• 879e34c Merge pull request How to run the tests correctly? freeCodeCamp/pantry-for-good#363 from TrySound/unused-inliner-options
• 8899cd7 Merge pull request Fix error 'unathorized' while an user wants to 'Apply as a customer' freeCodeCamp/pantry-for-good#365 from TrySound/object-assign
• 0765875 Merge pull request Register as a customer shows not authorized from trying to get foods freeCodeCamp/pantry-for-good#362 from TrySound/cross-spawn-dev
• d08b1ed Replace custom extend utility with native Object.assign
• fb22fc0 Drop unused cssmin and uglify options from cli
• f3307de Move cross-spawn to dev dependencies
• 49b5412 Merge pull request Revise customer integration tests freeCodeCamp/pantry-for-good#349 from ArsenyYankovsky/master
• 0ce3da7 Merge pull request Question about debugging freeCodeCamp/pantry-for-good#360 from nekocode/fix-empty-tag
• 990f0dd Merge pull request (#122) Show notifications of users applied/updated, donations, delive… freeCodeCamp/pantry-for-good#353 from asztal/patch-1
• 35d9a9d fix Feature - Add Tooltip to Packed Package List Preferred Foods freeCodeCamp/pantry-for-good#359
• 6963fe6 Add changelog entry for v6.0.0

See the full diff

Package name: mapbox-gl

The new version differs by 250 commits.

• f7c029d v0.53.0 (#7884)
• 7017427 upgrade earcut to v2.1.5 (#7878) (#7879)
• e681dfa v0.53.0-beta.1 (#7853)
• 4e36f8f perform XHR in the main context rather than the worker's to preserve referrer information (#7848)
• 493e438 Use account information instead of access token for telemetry events
• 32cbe3d Remove Array.find so IE11 works ok (#7837) (#7838)
• 5cfd528 update docs page shell and add babelInclude to batfish config (#7834) (#7835)
• bb43b29 Fix Safari bug which mistakenly requested WebP images (#7817) (#7819)
• 782dd23 upgrade supercluster to v6.0.1 (#7811) (#7815)
• 718f468 Merge remote-tracking branch 'origin/publisher-production'
• 8f0d7aa Fix Query point translation for multi-point geometry
• b01a5d3 removeFeatureState (#7761)
• d9d92f4 upgrade flow-related dependencies (#7805)
• 63e262d upgrade rollup and its plugins (#7803)
• 19e4399 upgrade direct dependencies (#7794)
• b47e761 Evaluate feature-state dependent layer IDs on bucket creation (#7790)
• d0ba5c5 fix inter-documentation link (#7791)
• 0a5b8a5 [docs] use docs subdomain in examples (#7789)
• 4de4e47 [docs] mb-pages -> publisher-production (#7787)
• 634ae3f Bump Publisher
• 4cc2a7d Update feedback url and related test
• f66be3f Simplify clusterProperties expression (#7784)
• 1b058ae First shot at new-domain staging
• 865564f [docs] Update page shell (#7760)

See the full diff

Package name: node-geocoder

The new version differs by 6 commits.

• 9463c76 v4.0.0
• 72bb7d2 Fix google geocoder buffer
• 5534878 Remove deprecated option from here geocoder (Allow guests to get settings freeCodeCamp/pantry-for-good#333)
• b701cd5 Remove http adapters (Capitalized the column heading status on the Packing List page freeCodeCamp/pantry-for-good#332)
• 6ef1f47 Prepare 4.0 release
• 836ff39 Add integration test for google geocoder

See the full diff

Package name: react-bootstrap-table

The new version differs by 80 commits.

• ec9f036 Merge pull request #1534 from AllenFang/v4.0.0-dev
• 9e48bb7 README
• 99e2815 v4.0.0 ✨
• 3ce53cc prod
• d4fcae7 bootstrap 4 script&css
• 9f3eab8 fix bug about wrong compare for React Component
• d369521 use btn-secondary as default button style for bootstrap 4
• 9d1856b fix footer of insert modal was broken when use bootstrap 4
• 02cfe11 fix mode header of insert modal was broken when use bootstrap 4
• d88c2e5 fix dropdown options broken when use bootstrap 4
• 2d85bfa v4.0.0-beta.10
• 55b394a prod
• c33eb02 increase selection column width when use bootstrap 4
• 4c86555 increase expand column width when use bootstrap4
• 78c42b7 fix conflicts
• 4e0a950 fix sort caret broken when using bootstrap 4
• 51c3217 version props to assign the bootstrap version
• 4ff2e5a make compatiable with font awesome
• 5758b7d fix #1481, toolbar broken when upgrade to bootstrap 4
• 613b983 CHANGELOG
• 4168db3 Merge branch 'jspaine-fix-double-validation' into v4.0.0-dev
• b460abc simpified the solution to fix double validation
• f80af3e Merge branch 'fix-double-validation' of https://github.com/jspaine/react-bootstrap-table into jspaine-fix-double-validation
• b06fd5b 4.0.0-beta.9

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request #11603 from MayaWolf/master
• 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request #11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request #11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request #11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• c9271b9 chore(release): 4.0.0
• 18bf369 test: fix stability (#3676)
• cdcabb2 fix: respect protocol from browser for manual setup (#3675)
• 1768d6b fix: initial reloading for lazy compilation (#3662)
• 4f5bab1 docs: improve examples (#3672)
• f2d87fb fix: improve https CLI output (#3673)
• 0277c5e chore: remove redundant console statements (#3671)
• 16fcdbc docs: add `ipc` example (#3667)
• 8915fb8 test: add e2e tests for built in routes (#3669)
• 4d1cbe1 docs: ask `version` information in issue template (#3668)
• b6c1881 chore(deps-dev): bump core-js from 3.16.1 to 3.16.2 (#3666)
• ffa8cc5 chore(deps-dev): bump supertest from 6.1.5 to 6.1.6 (#3665)
• f1fdaa7 chore(release): 4.0.0-rc.1
• c4678bc fix: legacy API (#3660)
• d8bdd03 test: fix stability (#3661)
• 22b1414 refactor: remove `killable` (#3657)
• 75bafbf test: add e2e tests for module federation (#3658)
• 493ccbd chore(deps): update `ws` (#3652)
• ae8c523 test: add e2e test for universal compiler (#3656)
• f94b84f chore(deps): update (#3655)
• 1923132 test: fix cli
• 2adfd01 test: fix todo (#3653)
• 6e2cbde fix: proxy logging and allow to pass options without the `target` option (#3651)
• c9ccc96 fix: respect infastructureLogging.level for client.logging (#3613)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn