[Snyk] Fix for 24 vulnerabilities

[Subhojit1992]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-CSSWHAT-3035488	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-DOTPROP-543489	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Uninitialized Memory Exposure npm:atob:20180429	Yes	Mature
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:clean-css:20180306	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: chalk

The new version differs by 53 commits.

• 3fca615 2.0.0
• f66271e Add tagged template literal (include option is not working addyosmani/critical#163)
• 23ef1c7 fix linter errors
• c015568 add rainbow example
• 09fb2d8 Re-implement `chalk.enabled` (Use cssnano instead CleanCSS addyosmani/critical#160)
• 608242a spoof supports-color
• 18f2e7c add host information output
• 523b998 Revert "TEMPORARY: emergency travis CI fix (see comments)"
• 54975fb TEMPORARY: emergency travis CI fix (see comments)
• 1d73b21 Improve readme
• 6f4d6b3 Bump dependencies
• 8702496 Remove `chalk.styles`
• 0412cdf Minor code improvements
• 249b9ac ES2015ify the codebase
• cb3f230 Add RGB (256/Truecolor) support (added penthouse timeout option addyosmani/critical#140)
• dbae68d Update dependent package count in the readme (Travis: add explicitly node.js 4 and 6. addyosmani/critical#154)
• 9b60021 Drop support for Node.js 0.10 and 0.12
• 0d21449 check parent builder object for enabled status (add support for link preload hrefs addyosmani/critical#142)
• 5a69476 add XO badge
• 492f11f add example file
• 4ce73b6 make XO happy
• 7c02cf4 Add log statement to chalk examples (Cssrelpreload addyosmani/critical#129)
• 835ca3d You've just reached 10,000 dependent modules. (CSHTML file instead of HTML addyosmani/critical#122)
• 74c087d minor doc improvements (Vinyl addyosmani/critical#120)

See the full diff

Package name: clean-css

The new version differs by 250 commits.

• 7812d59 Version 4.1.11.
• 0440b4a Fixes ReDOS vulnerabilities.
• c601ebd Version 4.1.10.
• 9e0a38e Fixes #1006 - handling invalid input source maps.
• 913d72c Fixes #1008 - edge case in breaking up `font`.
• bedd8a9 Adds @ abarre fix to #1001 to release notes.
• e944a2b [#1001] Fix corrupted state of tokenizer (#1010)
• 8be4084 Fixes #989 - edge case in removing unused at-rules.
• 21a5df0 Fixes #988 - edge case in dropping `animation-duration`.
• 5f6cbc6 Version 4.1.9.
• a83386c See #971 - adds History.md entry about fixed issue.
• b756b48 Ignore quotes when checking @ font-face use (#972)
• 59ab101 Version 4.1.8.
• 251ec10 Fixes #966 - remote `@ import`s referenced from local ones.
• 744bfc5 Fixes #965 - edge case in parsing comment endings.
• c1aad92 Fixes #959 - regression in shortening long hex values.
• e30dac5 Fixes #960 - better explanation of `efficiency`.
• 382088d Version 4.1.7.
• c37eb15 Fixes #957 - `0%` minification of `width` property.
• 8c63ce0 Version 4.1.6.
• 77bad8e Fixes #953 - beautify breaks attribute selectors.
• 98254d1 Fixes #887 - edge case in serializing comments.
• b532b4e Version 4.1.5.
• 22c5236 Fixes #952 - parsing `@ page` as in CSS3 spec.

See the full diff

Package name: filter-css

The new version differs by 17 commits.

• 066e421 1.0.0
• 56a0874 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #5 from XhmikosR/dev-2
• 4a2e65f cli.js: refactor
• 706ecdf Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path #4 from XhmikosR/dev
• c995ab6 Tweak tests more.
• ec7aac9 cli.js: add missing shebang
• 715973e Move `getValue()` to the global scope
• 245160d Reduce lodash usage.
• e63cc2e Fix Windows tests
• e47435d Tweak readme.md
• adcc132 Switch to GitHub Actions CI.
• f11745a Switch to xo.
• c901f6c Update all dependencies.
• 3439b55 Enforce LF for all files.
• c8dfb34 Remove update-notifier.
• ef97657 Split npm scripts.
• 110f55e ES6-ify and require Node.js 6.x

See the full diff

Package name: finalhandler

The new version differs by 58 commits.

• ed4c24d 1.0.6
• ec3693e deps: debug@2.6.9
• 56992d0 1.0.5
• 933adc8 build: Node.js@8.5
• c7ae24a deps: parseurl@~1.3.2
• eb13417 docs: fix syntax highlighting
• 91f81bb build: Node.js@8.4
• 85049f8 1.0.4
• 86d4c39 build: eslint-plugin-node@5.1.1
• 8d62a08 build: Node.js@8.2
• 44e024f build: readable-stream@2.3.3
• 7f7ebad build: eslint-plugin-node@5.1.0
• 3cbd16a build: eslint-plugin-import@2.7.0
• 3396636 build: safe-buffer@5.1.1
• 6193e13 build: support Node.js 8.x
• 5b2adb9 build: Node.js@6.11
• dd31a7c build: readable-stream@2.2.11
• ad6d3bd build: eslint-plugin-import@2.5.0
• 1258510 build: eslint-plugin-node@5.0.0
• 798415c deps: debug@2.6.8
• 0425ae6 1.0.3
• 3fcdbc0 deps: debug@2.6.7
• fb8fecd build: eslint-plugin-markdown@1.0.0-beta.6
• a49f580 build: Node.js@7.10

See the full diff

Package name: inline-critical

The new version differs by 120 commits.

• 4c59372 6.0.0
• a21e240 Changed readme
• 7e59c38 Bump dependencies
• f586a79 Bump uglifyjs
• ef27dac Bump dependencies
• 05ce30a Fix lint errors
• 5606d64 Require node 10
• f8fe5b0 Bump jest
• 7102fa7 npm audit fix
• c363073 Merge pull request Duplication of css rules addyosmani/critical#272 from bezoerb/feature/print-strategy
• 76e35c4 Adds new options to readme
• 4805494 fix linter warnings
• e1408b4 Adds preload & polyfill option
• 5306dce Adds test for media=print strategy
• be6660a Merge pull request Update debug to v3.1.0. addyosmani/critical#268 from bezoerb/dependabot/npm_and_yarn/acorn-5.7.4
• cf82462 Bump acorn from 5.7.3 to 5.7.4
• a939be7 5.3.1
• a36fc7b Update README.md
• 90ddeaa fix: removed silly '> 0' boolean check (CI: stop testing non-LTS node.js versions. addyosmani/critical#266)
• 13c65c8 Fix typo.
• cfb8901 5.3.0
• cb7d83d Merge pull request Empty href in link throws cryptic error addyosmani/critical#258 from XhmikosR/master-deps
• 3eb390a Update dependencies and remove the unused dom-serializer dep.
• 37ef519 Replace lodash with native methods and use its packages directly. (Official docker image addyosmani/critical#262)

See the full diff

Package name: meow

The new version differs by 54 commits.

• 5975fe6 6.0.0
• 3e05a2e Add type information for flags (CSHTML file instead of HTML addyosmani/critical#122)
• 499d186 Update dependencies
• 5ef9478 Add support for `number` flag type (explicit close stdout streams of child processes on exit  addyosmani/critical#103)
• 8e5248e Fix typo (Receiving an event emitter memory leak addyosmani/critical#121)
• cd29865 Only consider enabling autoHelp/autoVersion in case there is only one argument in `process.argv` (Remove "preferGlobal": true, addyosmani/critical#114)
• 54e1f22 Tidelift tasks
• 47fe20f Create funding.yml
• 927e6e8 Add Node.js 12 to testing (Option to exclude specific stylesheets addyosmani/critical#118)
• 167d1ec Update dependencies, refactor TypeScript definition to CommonJS compatible export (dropped jshint and added xo addyosmani/critical#117)
• fd537b8 Update dependencies
• f1036df Add TypeScript definition (Section in FAQ that perhaps warns against using Critical in HTTP/2 environments w/ Push Promises being available addyosmani/critical#116)
• f36715c Remove flag's aliases from the `flags` property (Error: spawn EACCES addyosmani/critical#108)
• 646f30b Fix Travis
• 439ac9b Fix docs regarding meow arguments
• cd635d4 Require Node.js 8
• 2bcfee7 Add `hardRejection` option
• f60c26e Switch from `loud-rejection` to `hard-rejection`
• 89f8983 Minor code tweaks
• d2e0e1e Add test that proves that grouped short-flags work fine
• 59773ee Fix readme example (>> Error opening url 'undefined': undefined addyosmani/critical#99)
• 258659a Document the `--no-` prefix (Undefined is not a function addyosmani/critical#87)
• e047605 5.0.0
• 4ab22b1 Require Node.js 6

See the full diff

Package name: oust

The new version differs by 4 commits.

• 40853e4 v0.5.0.
• a5ce6ad Update all the stuff, drop Node.js < 6 support, ES6-ify codebase. ([Snyk] Fix for 1 vulnerabilities #21)
• 3942af1 Bump package
• 8e6bd80 Add filter functionality ([Snyk] Fix for 1 vulnerabilities #17)

See the full diff

Package name: postcss-image-inliner

The new version differs by 61 commits.

• 0e9b765 4.0.1
• 57adb83 Bump deps
• 54649b9 4.0.0
• 08a5237 Breaking: require node 10
• ace0d5b Bump dependencies
• e219ab7 Merge pull request When to expect next release (0.8.5) addyosmani/critical#227 from bezoerb/dependabot/npm_and_yarn/acorn-7.1.1
• af24042 chore(deps): bump acorn from 7.1.0 to 7.1.1
• 61ff9db 3.0.9
• 7313624 Bump dependencies
• 8541d69 3.0.8
• 7dc78dc Merge pull request [Question] Anyone using this in production? addyosmani/critical#225 from XhmikosR/master
• 16370af Switch to using xo directly.
• 9f72b60 Minor ES6 tweaks
• 29c9acd 3.0.7
• 126d61c Merge pull request Master branch merged and fixed addyosmani/critical#223 from XhmikosR/master-deps
• f451868 3.0.6
• 622bcde Removes superfluous argument
• 75b1614 Update dependencies.
• 9a21fdd 3.0.5
• f9656e2 Update README.md
• 5c16c18 Switch to GitHub Actions CI. (Update README to reflect current maintainer + copyright addyosmani/critical#220)
• cfaeee3 3.0.4
• bafea9d Bump dependencies
• 2ee04e9 Update dependencies. (Unhandled rejection Error: Error: File.contents can only be a Buffer, a Stream, or null. addyosmani/critical#218)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn