[Snyk-dev] Fix for 13 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	899/1000 Why? Mature exploit, Has a fix available, CVSS 9.4	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No	Mature
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Timing Attack npm:http-signature:20150122	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	756/1000 Why? Mature exploit, Has a fix available, CVSS 7.4	Uninitialized Memory Exposure npm:npmconf:20180512	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: dalek-browser-phantomjs

The new version differs by 5 commits.

• c9374b0 Updating metadata for 0.0.5 release
• e1face5 Merge pull request [Snyk-dev] Fix for 1 vulnerable dependencies #13 from wrumsby/upgrade-phantomjs
• b0b6c01 Specify phantoms 1.9.14 as a minimum
• da3c205 Merge pull request [Snyk-dev] Fix for 1 vulnerable dependencies #10 from Flyingmana/patch-1
• 0f12063 chore(dependencies): less strict version constrain for phantomjs

See the full diff

Package name: glob

The new version differs by 89 commits.

• 3a7e71d v5.0.15
• 841fda0 use latest minimatch
• 4ba54a8 Skip some tests on Windows, make others pass
• 3936e1e Build: Add build for node v4
• c47d451 v5.0.14
• 821fac8 Handle ENOTSUP for sync glob as well as async
• 9625618 Test for when readdir raises ENOTSUP
• 0a2b519 Generate fixtures more effectively, with -O instead of eval
• f96190b Use js for benchmark cleanup
• 957fd93 Fix some 'use strict' errors
• bf3381e Treat ENOTSUP like ENOTDIR in readdir
• 507733d v5.0.13
• f5878af Do not emit 'match' events for ignored items
• 9439afd v5.0.12
• 6071f3a Revert "Use graceful-fs if available"
• 38ff16c v5.0.11
• f09292b Use graceful-fs if available
• 4f39b60 Remove duplicate option description
• e3cdccc v5.0.10
• 480da05 ignore .nyc_output, upgrade tap, use coverage, rm fixtures
• 155124b add more sync cb thrower tests
• f7302ca Test base-matching
• 7530e88 v5.0.9
• b185987 reduce cases where tests need to be regenerated

See the full diff

Package name: js-yaml

The new version differs by 25 commits.

• 2321c0b 3.2.7 released
• 6de643d Browser files rebuild
• eaa5f30 Deps update, closes Make internal dependency policy less strict and point to a phantomjs … dalekjs/dalek#167
• 9a7ae34 3.2.6 released
• fc35388 Browser files rebuild
• f0d7ea9 Merge pull request Unable to stop test suite dalekjs/dalek#163 from Hypercubed/patch-1
• a937a35 Update utils.js
• c6a2320 Rename codepoint -> c
• 2539825 Rename encodeUTF16Char -> charFromCodepoint
• 14e3b76 Fix encoding of UTF-16 surrogate pairs
• 8a73181 3.2.5 released
• a898401 Browser files rebuild
• d36d316 Improve benchmark/add-by-tag.sh script
• c2de702 Fixed bug: Tag on an empty node didn't resolve in some cases.
• 04ff648 Correct test description for issue dalek callback or custom functions dalekjs/dalek#154
• f1a248d Fix indent checking within skipSeparationSpace function
• 52aa9cc Fix resolving of all built-in types on empty nodes
• 478e66b Add benchmark/implementations to .jshintignore
• bf82559 Add benchmark/add-by-tag.sh script for quick downloading of old releases
• d7b136c Ignore benchmark/implementations/* expect `current`
• a88d676 Clean up benchmark/implementations
• 19bac78 3.2.4 released
• a682a86 Update HISTORY.md
• 25f5c87 Merge pull request resize doesnt work properly dalekjs/dalek#155 from paolochiodi/master

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Timing Attack npm:http-signature:20150122	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Prototype Pollution
🦉 Arbitrary Code Injection