[Snyk] Fix for 45 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-DOTOBJECT-548905	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	No Known Exploit
	434/1000 Why? Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	550/1000 Why? Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-535499	Yes	No Known Exploit
	630/1000 Why? Has a fix available, CVSS 8.1	Out-of-bounds Read SNYK-JS-NODESASS-535501	Yes	No Known Exploit
	600/1000 Why? Has a fix available, CVSS 7.5	Uncontrolled Recursion SNYK-JS-NODESASS-535503	Yes	No Known Exploit
	550/1000 Why? Has a fix available, CVSS 6.5	Resource Exhaustion SNYK-JS-NODESASS-535504	Yes	No Known Exploit
	665/1000 Why? Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-535505	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Uncontrolled Recursion SNYK-JS-NODESASS-540960	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Out-of-bounds Read SNYK-JS-NODESASS-540962	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Improper Input Validation SNYK-JS-NODESASS-540966	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Improper Input Validation SNYK-JS-NODESASS-540968	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Uncontrolled Recursion SNYK-JS-NODESASS-540970	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Out-of-bounds Read SNYK-JS-NODESASS-540972	Yes	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-540974	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-NODESASS-540982	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-540984	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Out-of-bounds Read SNYK-JS-NODESASS-540986	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-NODESASS-540988	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-NODESASS-542662	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	696/1000 Why? Recently disclosed, Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	696/1000 Why? Recently disclosed, Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	634/1000 Why? Has a fix available, CVSS 8.4	Command Injection npm:shell-quote:20160621	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browserify-istanbul

The new version differs by 12 commits.

• 50af37b Merge pull request Notifying player of VPAID events #35 from alexindigo/v2.0.0
• ca38f1a What does mocha say to windows? Not today!
• e286705 Housecleaning
• eda1a8d Merge pull request Does the plugin support skippable? #34 from zaygraveyard/issue33
• c7dbde8 Fix: Only `require()` `istanbul` when `options.instrumenter` is not set. (fixes Don't deploy demo if release push fails #33)
• bfafcbc 1.0.0
• ab27c00 Merge pull request Recomendation for implementing VideoJs-vast-plugin with Playlists? #31 from zaygraveyard/issue30
• d4bb901 Merge pull request Test Release #27 from alexindigo/master
• 830f12a Add support for passing options to `minimatch` using `minimatchOptions` option. (fixes fix issues #30)
• 6aabdde Made it installed istanbul friendly.
• b1c19aa Merge pull request Fixing the plugin on IE8 and IE9 #19 from peter-mouland/feature/bower_components-readme
• 9b3afeb add `'**/bower_components/**',` to readme after update

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-bump

The new version differs by 4 commits.

• d107a05 2.0.0
• 079ccbb refactor - switch to regex parsing
• f2ac137 Merge pull request allow demo page to autoload a vastTag by queryString to simplify sharing #44 from crea1/patch-1
• 2027e9f Update example with missing require of semver

See the full diff

Package name: gulp-clone

The new version differs by 6 commits.

• 3252782 2.0
• f3a113e Test on Node 4 and up
• 6ebd1e4 1.1.1
• db8ea95 Update chai and mocha
• 4ba729d 1.1.0
• 918beb6 Replace deprecated gulp util (Fixes SpotX VPAID Tags Don't Work #6)

See the full diff

Package name: gulp-sass

The new version differs by 42 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 (#802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue (#776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times (#763)
• 7ab018e Migrate to the lodash package
• fa670c6 4.0.2
• fefa00e Revert package.json version bump
• 98254d2 Fix README typos
• 8a14419 Continue loading Node Sass by default
• 938afbe Add a note about synchronous versus asynchronous speed
• 7cc2db1 Make this package implementation-agnostic
• 643f73b Add documentation for synchronous code options
• 0b3c7e7 4.0.1
• daca90d Merge pull request #681 from DKvistgaard/master
• 71471c2 Declaring logError as function instead of arrow function.
• 450a7b8 4.0.0
• e9b1fe8 Fix node versions in appveyor.yml
• 44be409 Merge pull request #667 from dlmanning/next
• 7656eff Adopt airbnb eslint preset
• 1293169 Bump autoprefixer@^8.1.0, gulp-postcss@^7.0.1
• 9fa817b Bump gulp-sourcemaps@^2.6.4

See the full diff

Package name: gulp-template

The new version differs by 3 commits.

• e032d9e 4.0.0
• a6b44a4 bump lodash
• 8675850 Close Clickthrough event with HTML5 Vpaid #29 PR: chore: update travis matrix.

See the full diff

Package name: karma

The new version differs by 250 commits.

• 3653caf chore(release): 6.0.0 [skip ci]
• 04a811d fix(ci): abandon browserstack tests for Safari and IE (#3615)
• 4bf90f7 feat(client): update banner with connection, test status, ping times (#3611)
• 68c4a3a chore(test): run client tests without grunt wrapper (#3604)
• fec972f fix(middleware): catch errors when loading a module (#3605)
• 3fca456 fix(server): clean up close-server logic (#3607)
• 1c9c2de fix(test): mark all second connections reconnects (#3598)
• 87f7e5e chore(license): Update copyright notice to 2020 [ci skip] (#3568)
• e6b045f chore(deps): npm audit fix the package-lock.json (#3603)
• 3c649fa chore(build): remove obsolete Grunt tasks (#3602)
• 8997b74 fix(test): clear up clearContext (#3597)
• fe0e24a chore(build): unify client bundling scripts (#3600)
• 1a65bf1 feat(server): remove deprecated static methods (#3595)
• fb76ed6 chore(test): remove usage of deprecated buffer API (#3596)
• 35a5842 feat(server): print stack of unhandledrejections (#3593)
• 4a8178f fix(client): do not reset karmaNavigating in unload handler (#3591)
• 603bbc0 feat(cli): error out on unexpected options or parameters (#3589)
• 7a3bd55 feat: remove support for running dart code in the browser (#3592)
• 1b9e1de fix(deps): bump socket-io to v3 (#3586)
• 3fed0bc fix(cve): update yargs to 16.1.1 to fix cve-2020-7774 in y18n (#3578)
• f819fa8 fix(cve): update ua-parser-js to 0.7.23 to fix CVE-2020-7793 (#3584)
• 05dc288 fix(context): do not error when karma is navigating (#3565)
• e5086fc docs: clarify `browser_complete` vs `run_complete`
• ead31cd chore(release): 5.2.3 [skip ci]

See the full diff

Package name: karma-browserify

The new version differs by 45 commits.

• 1f03ab2 5.3.0
• 3d1ae96 chore(package): bump dev dependencies
• 1796716 chore(project): bump lodash dependency
• adce20f 5.2.0
• 2a60185 chore(project): support browserify @ 16
• cba9ba9 chore(lint): ignore example/node_modules
• 72af250 chore(example): bump browserify + watchify versions
• 573db5b 5.1.3
• ff944e7 chore(package): allow browserify@15
• 6e0fcce 5.1.2
• 88673c4 chore(npmignore): ignore dev configuration(s)
• 0fed147 chore(project): remove grunt + jshint
• 08141de chore(ci): test against node {4,6,8}
• 21bd468 chore(project): bump dev dependencies
• e42a5be chore(project): release v5.1.1
• dba0a80 chore(package): allow browserify@14
• a87c211 chore(project): release v5.1.0
• dc49a26 feat(bro): respect externalRequireName
• b963ae9 chore(project): add all task
• e1f85e0 test(bro): verify TypeScript compile error behavior
• 866680d chore(project): release v5.0.5
• b613c00 fix(project): add missing comma to pkg
• ae3d09f chore(project): remove node 0.10 / npm 1 support via pkg.engines / travis
• 1ea06cb chore(project): use broader semver ranges for peer deps

See the full diff

Package name: karma-coverage

The new version differs by 59 commits.

• 32acafa chore(release): 2.0.2 [skip ci]
• bb8f9ee chore: add semantic-release for project - fix #408 (#413)
• 9c37de6 chore: add check commit message (#411)
• 27822c9 ci(test): use eslint as ci command and add all js files to check by eslint (#410)
• 1adb27a ci: drop node 8, adopt node 12 (#409)
• 4962a70 fix(reporter): update calls to match new API in istanbul-lib-report fix #398 (#403)
• fc6e289 refactor: remove isAbsolute and replace with path.isAbsolute (#405)
• 83bafc3 refactor: replace migrate coffee unit tests to modern JS (#407)
• 49f174d refactor: onRunComplete method to upgrade on new major version of Istanbul (#406)
• 4cfa697 chore: Update dev Dependencies eslint and load-grunt-tasks (#387)
• 5cf931a fix: remove information about old istanbul lib (#404)
• 352254a chore(deps): bump handlebars from 4.1.2 to 4.5.3 (#399)
• 0ee780c chore(deps): bump lodash.template from 4.4.0 to 4.5.0 (#392)
• d18cde4 chore(deps-dev): bump eslint from 2.13.1 to 4.18.2 (#397)
• 55aeead Update Source Map Handling (#394)
• b23664e Added debug msg whether coverage is in reporters (#396)
• d3f53e3 chore(all): Migrate to ES6 (#385)
• 9c8a222 Make travis file simpler (#386)
• b76db9e Remove unused dateformat dependency (#384)
• 075ece0 Remove unused istanbul dependency (#382)
• 9184fc0 chore: release v2.0.1
• 57d4bd3 chore(deps): npm audit fix --force; update travis.yml (#380)
• 0e2800b chore: release v2.0.0
• 99c0c35 chore: update contributors

See the full diff

Package name: mocha

The new version differs by 250 commits.

• eb781e2 Release v6.2.3
• 10dbe94 update CHANGELOG for v6.2.3 [ci skip]
• 848d6fb security: update mkdirp, yargs, yargs-parser
• 843a322 6.2.2
• aec8b02 update CHANGELOG for v6.2.2 [ci skip]
• 7a8b95a npm audit fixes
• cebddf2 Improve reporter documentation for mocha in browser. (#4026)
• 3f7b987 uncaughtException: report more than one exception per test (#4033)
• ee82d38 modify alt text of image from Backers to Sponsors inside Sponsors section in Readme (#4046)
• e9c036c special-case parsing of "require" in unparseNodeArgs(); closes #4035 (#4063)
• 954cf0b Fix HTMLCollection iteration to make unhide function work as expected (#4051)
• 816dc27 uncaughtException: fix double EVENT_RUN_END events (#4025)
• 9650d3f add OpenJS Foundation logo to website (#4008)
• f04b81d Adopt the OpenJSF Code of Conduct (#3971)
• aca8895 Add link checking to docs build step (#3972)
• ef6c820 Release v6.2.1
• 9524978 updated CHANGELOG for v6.2.1 [ci skip]
• dfdb8b3 Update yargs to v13.3.0 (#3986)
• 18ad1c1 treat '--require esm' as Node option (#3983)
• fcffd5a Update yargs-unparser to v1.6.0 (#3984)
• ad4860e Remove extraGlobals() (#3970)
• b269ad0 Clarify effect of .skip() (#3947)
• 1e6cf3b Add Matomo to website (#3765)
• 91b3a54 fix style on mochajs.org (#3886)

See the full diff

Package name: uglifyify

The new version differs by 21 commits.

• 73e72d8 5.0.2
• 662f60a Fix github security warning (Option for not start the video after preroll. #93)
• 496d3ca 5.0.1
• 10d02cc Switch to uglify-es fork (Upgrade player to videojs v5.0.0 #86)
• 43967dd 5.0.0
• 9eed149 Merge pull request Adding the adTagXML and adTagUrl options to the plugin #62 from casr/Video Not Autoplay After VAST3 Ads #61
• 8662585 Default debug to false and simplify logic
• e84c056 Maintain opts._flags for different transform runs
• e2a4105 Add a failing test case
• 72296cd 4.0.5
• 7b02b44 use uglify-es inline source map detection (Plugin doesn't work on IE8 #81)
• cfeb16c 4.0.4
• 17422a5 Complete error message (Only allowing one skip button on vpaid ads, no matter how many 'adSkippaleStateChange' get triggered #80)
• fd494c0 4.0.3
• 0780ac7 fixes (Configuration of ad response timeout #79)
• 7fa54a7 4.0.2
• dd8548a map out uglify argv to API acceptable opts (Skip Ad button doesn't go away with VPaidJS (Possibly VPaidSWF) #71)
• dff447b 4.0.1
• 0c4378a fix source map properties names (How does code get into ./bin #67)
• 4cf696d 4.0.0
• b76756a upgrade to uglify-es (Not canceling the adUnit if there is an error in the player #65)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic