[Snyk] Fix for 21 vulnerabilities

[Metnew]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Configuration Override SNYK-JS-HELMETCSP-469436	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	661/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.8	Arbitrary Code Injection SNYK-JS-MORGAN-72579	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-536840	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution npm:deep-extend:20180409	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:react-dom:20180802	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: chokidar

The new version differs by 191 commits.

• 7b8e02a Release 3.0.0.
• e7bfe2f Move stuff.
• df7f22e Remove changelog from npm, move to hidden dir.
• 3df7692 Improve naming.
• 6e94ca2 Clean-up.
• 2de2f9c test: Add testing of Node.js v12 in Travis pipeline. (#833)
• 9e0965a Fix Windows tests in Travis CI (#832)
• c95a98f Update stuff.
• 187ff2b test: Trying to fix blinked tests for Travis CI. (#825)
• db99076 fix(Windows): Add converting from windows to unix path for all ignored paths. (#824)
• 41f8782 fix(FsEvents): Remove situation with NaN depth. (#823)
• 7cf3f7e Update readdirp to stable.
• 0927a62 Bump packages.
• 11cd857 Update nyc.
• 99c14d7 Uncomment fsevents.
• cf330a5 Update fsevents.
• 0e4fca5 Fix deps.
• 9c575d4 Fix Windows version (#821)
• 3323d59 fix(Linux): Make event loop hack for keep testing valid. (#820)
• 06214c5 Update to latest readdirp.
• 793639f Rename osxfswatch.
• 078bc2d Refactor and fix freaking tests.
• 2b9bb41 Try node 11.
• 3fe3d4e Test travis.

See the full diff

Package name: helmet

The new version differs by 85 commits.

• 5d964d4 3.21.1
• 1e9b8ea Update changelog for 3.21.1 release
• 86f1f59 Update helmet-csp to 2.9.2
• 76ca5bd Update Standard devDependency to latest version
• 0dad3c2 3.21.0
• 33cfd10 Update changelog for 3.21.0 release
• 349117f Update helmet-csp to 2.9.1
• 03d4fa6 Update x-xss-protection from 1.2.0 to 1.3.0
• 3b9d0e8 Update devDependencies to latest versions
• 80fe85f Remove old HISTORY.md
• e3ea074 Use sinon's default sandbox feature
• 968fabd 3.20.1
• d588453 Update changelog for 3.20.1 release
• a5a9679 Update Sinon and Standard to latest versions
• 844739c Update helmet-csp to v2.9.0
• b2a3700 3.20.0
• 87d7323 Update changelog for 3.20.0 release
• a711731 Update Mocha and Standard to latest versions
• 6aab72d Update helmet-csp to 2.8.0
• ac46aaf Minor: in changelog, change "updated" header in under 3.19.0
• 17707ae 3.19.0
• ca34982 Update changelog for 3.19.0 release
• 06d5bde Update all remaining outdated dependencies
• 91e071c Update helmet-crossdomain from 0.3.0 to 0.4.0

See the full diff

Package name: isomorphic-fetch

The new version differs by 12 commits.

• fc5e0d0 3.0.0
• 496fa43 Add version that was previously uncomitted to the package.json due to the previous release process
• 9f5a8b6 Add a list of alternatives
• 49280e6 Resolve minor security issue
• 0f5edd0 Explain why Isomorphic Fetch is needed in docs (Missing "<Props, State>" when static typing components with Flow. #135)
• e32b006 Fix travis (Update eslint-loader to the latest version 🚀 #190)
• db0aa8c Update to latest version
• 8bf02c4 Bump node-fetch from 1.7.3 to 2.6.1 (Update webpack-assets-manifest to the latest version 🚀 #189)
• 89c7e70 Merge pull request Malformed JWT not handled #93 from paulmelnikow/fetch_ponyfill
• 25e3cab Add link to fetch-ponyfill
• 8d33aba Merge pull request Include universal-analytics instead of current GA implementation #90 from josiah0/update-lintspaces-cli
• c22fcda Update lintspaces-cli

See the full diff

Package name: morgan

The new version differs by 27 commits.

• 572dd93 1.9.1
• e02de38 lint: apply standard 12 style
• e329663 Fix using special characters in format
• eb1968a tests: use strict equality checks
• 310b206 build: use yaml eslint configuration
• 5810937 build: Node.js@9.11
• f60afd5 build: Node.js@8.11
• 5295b0c build: eslint-plugin-standard@3.1.0
• 178daaf build: eslint-plugin-promise@3.8.0
• 7b08641 build: eslint-plugin-import@2.12.0
• 73cb666 build: eslint@4.19.1
• edc95aa build: Node.js@6.14
• ace86c3 build: Node.js@4.9
• 4dd1180 lint: apply standard 11 style
• 60c31e8 build: Node.js@9.8
• 05e382f build: Node.js@8.10
• 1a5be20 build: Node.js@6.13
• cf9565f docs: remove gratipay badge
• b66251d build: eslint-plugin-node@5.2.0
• 0113732 build: eslint-plugin-import@2.8.0
• 47659a9 deps: depd@~1.1.2
• 695f659 build: support Node.js 9.x
• f4c51e9 build: Node.js@8.9
• 4f15f36 build: Node.js@6.12

See the full diff

Package name: offline-plugin

The new version differs by 53 commits.

• df08535 [skip ci] 5.0.4
• 363a89e [ci skip] Release 5.0.5
• 56553d4 [ci skip] Release 5.0.4
• ddec2aa Fix tests
• ec987f4 Fix appShell returning the shell file when navigating to sw file's location
• 2cf8af2 Update fixtures to new webpack 4's bundle output format
• 5b9f60a Fix 'only-if-cached' in fetch event error
• 765abb0 Merge pull request #384 from julienw/patch-1
• 9b8e5de Add a link to appShell doc from the doc for cacheMaps
• 1f99abe [skip ci] Readme improvment
• a9daba4 Readme improvment
• eb9c16b Merge pull request #381 from etchteam/master
• fd22075 fix: Update deep-extend
• 1454262 [ci skip] Release 5.0.3
• a2eee00 Make `ServiceWorker.minify` option auto-detect usage of optimization.minimize (webpack 4+)
• 0f73617 [ci skip] Release 5.0.2
• 7b29577 Use never version of loader injection into "after-resolve" NMF
• 65edf58 [ci skip] Release 5.0.1
• bf055a8 Fix plugin usage without options
• c8a6344 [skip ci] Comment demo from readme for now
• 9018bd7 [ci skip] Release 5.0.0
• 5fc00d8 Remove loaders information from build scripts and tests
• b8b961f Fix addAllNormalized wrong behavior with activate and remove undocumented loaders
• 75557ad Fix `isNotRedirectedResponse` function is used without an argument

See the full diff

Package name: semantic-ui-react

The new version differs by 44 commits.

• c8fabc7 0.81.2
• 95429e6 feat(Dropdown): lazyLoad prop for menu items (#1918)
• 9af142e fix(Popup): remove semi from typings
• eae01ad fix(Input): fix icon order to ensure rounded border is kept (#2507)
• 06ab95f feat(Popup): add context prop (#2934)
• 02af086 fix(Icon): fix handling of aria-label (#2947)
• 7da1dd0 docs (Search): update layout for search example to accommodate code (#2948)
• caee404 chore(typings): update TypeScript and use tslint-config-airbnb (#2942)
• 1f01e14 chore(package): add `sideEffects: false` for Webpack 4 (#2941)
• e90cc89 chore(package): use shallowequal instead of fbjs and use alias in docs (#2940)
• 4549d14 docs(assets): move images to /public (#2935)
• 0d00166 feat(Sidebar): add lifecycle handlers (#2845)
• 3a594ba fix(examples): webpack 3 App direct import description (#2929)
• 55e9388 fix(Docs): Add babel-polyfill so that the Docs work in IE11 (#2884)
• 43793ae Fix automatic upward logic in IE11. (#2885)
• 6ae850e feat(Sticky): use SUI CSS classes (#2890)
• 531d5d1 fix(Search): wrap categorized search results with "results" (#2909)
• 4e9b8ba chore(package): update lint-stagged (#2914)
• 530a0d6 fix(Modal): remove dimmer={false} (#2882)
• 8a26279 chore(getComponentInfo): handle HOC default exports (#2883)
• 6d6f6eb fix(Icon): remove unexisting aliases (#2879)
• 84fff9d docs(changelog): update changelog [ci skip]
• b44681e 0.81.1
• 9360d31 chore(gulp): fix dist:clean task (#2871)

See the full diff

Package name: serialize-javascript

The new version differs by 49 commits.

• b54341e v3.1.0
• 7cee7e4 Revert "support for bigint (Update circular-dependency-plugin to the latest version 🚀 #80)"
• 026a445 Bump mocha from 7.1.2 to 7.2.0 (Deploying to Heroku #83)
• 5130a71 support for bigint (Update circular-dependency-plugin to the latest version 🚀 #80)
• ea76b23 Bump mocha from 7.1.1 to 7.1.2 (Update semantic-ui-react to the latest version 🚀 #82)
• 073c8d8 Bump nyc from 15.0.0 to 15.0.1 (how do you run frontend alone in prod #81)
• f21a6fb Don't replace regex / function placeholders within string literals (Demo broken on IE11. Object.assign... #79)
• 1ac487e [Security] Bump minimist from 1.2.0 to 1.2.5 (Update preload-webpack-plugin to the latest version 🚀 #78)
• c795cef Bump mocha from 7.1.0 to 7.1.1 (Replace i18n-webpack-plugin with react-i18next #77)
• 3064431 Bump mocha from 7.0.1 to 7.1.0 (Update babel-register to the latest version 🚀 #74)
• 9dbe8f6 Update example in README (Add redux-persist #73)
• f5957ee v3.0.0
• eed510c Introduce support for Infinity (Component names are replaced in React dev tools #72)
• 82bb2d2 Bump mocha from 7.0.0 to 7.0.1 (SSR: generate index.html using WebpackStats #71)
• fdfb10a Test on Node.js v12 (Add react-a11y #70)
• 2f5f126 Bump mocha from 6.2.2 to 7.0.0 (Add AutoDLL webpack-plugin #69)
• 35062c0 Bump nyc from 14.1.1 to 15.0.0 (Move from custom <LazyLoad> to react-universal-component #68)
• 6c43b02 v2.1.2
• 3e05a3f Ignore .nyc_output (npm run frontend_dev broken in master? #64)
• 3c46e8e Bump mocha from 6.2.0 to 6.2.2 (No webpack source maps in dev tools #62)
• 433fc9c 2.1.1
• 16a68ab Merge pull request from GHSA-h9rv-jmmf-4pgx
• 3bab6de Bump mocha from 6.2.1 to 6.2.2 (Dev to master #60)
• 7a6b13d Bump mocha from 6.2.0 to 6.2.1 (Dev to master #59)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cross-site Scripting (XSS)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn