[Snyk] Fix for 9 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-CSSWHAT-1298035	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gulp-image

The new version differs by 73 commits.

• f2cc810 6.3.0
• 9371d80 chore: add files field
• 903000e chore(deps): update dependencies
• 88ecb0f chore(deps): update dependencies
• 4e5bf8c refactor: use p-event to deprecate test.cb()
• 542b78d build(deps-dev): bump xo from 0.44.0 to 0.45.0
• 41d4316 test: tweak CI
• 4e1e143 docs: fix badge url
• 8fd2ac3 fix: fix lint issues
• 55560c8 chore(deps): update dependencies
• afd9121 refactor: use native ESM
• 71c04a3 Upgrade to GitHub-native Dependabot
• 764fd72 chore(deps): fix several dependencies
• 731b4e9 chore: update svgo
• 03f6276 chore: update lockfileVersion
• d7224a7 fix: fix lint issues
• 8171f51 build(deps-dev): bump xo from 0.36.1 to 0.37.1
• b7b83e1 build(deps): bump pretty-bytes from 5.4.1 to 5.5.0
• f84af02 build(deps-dev): bump ava from 3.14.0 to 3.15.0
• 7705905 chore(deps): update xo
• 9003c0b build(deps): [security] bump ini from 1.3.5 to 1.3.7
• ccfd32b build(deps-dev): bump ava from 3.13.0 to 3.14.0
• 17087e4 refactor: use GitHub Actions instead of Travis CI
• 5bb33de chore: drop Node.js 10 support

See the full diff

Package name: gulp-rev-all

The new version differs by 28 commits.

• df99d90 Release v3.0.0
• b9bec94 Update dependencies ([Snyk] Security upgrade requests from 2.31.0 to 2.32.0 #221)
• e1d3e72 Use GitHub Actions for CI ([Snyk] Security upgrade gulp from 4.0.0 to 5.0.0 #220)
• b113d34 Bump yargs-parser from 5.0.0 to 5.0.1 ([Snyk] Security upgrade requests from 2.22.0 to 2.32.0 #219)
• 30d2fd0 Bump y18n from 3.2.1 to 3.2.2 ([Snyk] Security upgrade requests from 2.22.0 to 2.32.0 #218)
• 7fc6134 Release v2.0.3
• b709c2b Remove Prettier check (Node 8 not supported)
• 722f562 Update npm dependencies
• d3c24d2 Update prettier@2.0.2
• ec454d7 2.0.2
• 4135fb0 Call 'join_path' to replace Windows separator
• 6441ef5 2.0.1
• 0b25b7e Prefer npm scripts over gulp tasks ([Snyk] Security upgrade idna from 2.8 to 3.7 #208)
• 1f087fc 2.0.0
• 8e557e0 Update npm dependencies ([Snyk] Security upgrade black from 19.3b0 to 24.3.0 #205)
• 4a9831f Fix support for Node.js 11/12 ([Snyk] Security upgrade cbor2 from 4.1.2 to 5.6.0 #204)
• d0bf52a Release v1.0.0 ([Snyk] Fix for 14 vulnerabilities #197)
• 317401d Add more badges in README.md ([Snyk] Fix for 1 vulnerabilities #196)
• a2eafb4 Update npm dependencies ([Snyk] Security upgrade selenium from 3.141.0 to 4.15.1 #195)
• e000132 Setup ESLint ([Snyk] Security upgrade cryptography from 2.7 to 41.0.5 #194)
• c44f38c Setup Prettier ([Snyk] Security upgrade urllib3 from 1.25.3 to 1.26.18 #193)
• 1a6ae0a Commit package-lock.json ([Snyk] Security upgrade urllib3 from 1.25.3 to 1.26.18 #192)
• 743c1b9 Replace custom is_binary_file implementation with a library ([Snyk] Security upgrade certifi from 2019.3.9 to 2023.7.22 #179)
• 51c5ce8 Do not stringify contents before calling md5 hasher ([Snyk] Security upgrade cryptography from 2.7 to 39.0.1 #167)

See the full diff

Package name: gulp-sass

The new version differs by 8 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 (Fix CSS errors pypi/warehouse#802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue (Enable "forever" caching of static assets pypi/warehouse#776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times (Remove generated files & Misc fixes pypi/warehouse#763)
• 7ab018e Migrate to the lodash package

See the full diff

Package name: uglify-js

The new version differs by 250 commits.

• bca83cb v3.14.3
• a841d45 fix corner case in `awaits` (Bump rfc3986 from 1.1.0 to 1.2.0 pypi/warehouse#5160)
• eb93d92 fix corner case in `awaits` (PEP 541: Ownership of 'pitstop' package pypi/warehouse#5158)
• a0250ec fix corner case in `dead_code` (Bump botocore from 1.12.53 to 1.12.58 pypi/warehouse#5154)
• 2580162 parse `let` as symbol names correctly (Bump boto3 from 1.9.53 to 1.9.58 pypi/warehouse#5151)
• 32ae994 fix issues in tests flagged by LGTM (Increase size limit for Intel's cpu-optimized tensorflow packages on PyPi test. pypi/warehouse#5150)
• 03aec89 fix corner cases in `strings` & `templates` (Increase size limit request pypi/warehouse#5147)
• faf0190 document ECMAScript quirks (Bump msgpack from 0.5.6 to 0.6.0 pypi/warehouse#5148)
• c8b0f68 fix corner case in `merge_vars` (Bump botocore from 1.12.53 to 1.12.57 pypi/warehouse#5143)
• 87b9916 fix corner case in `inline` (Bump datadog from 0.25.0 to 0.26.0 pypi/warehouse#5141)
• 940887f fix corner case in `evaluate` (WIP: CSS updates pypi/warehouse#5139)
• 0b2573c fix corner case in `templates` (Request for size limit increase for cupy-cuda100 package pypi/warehouse#5137)
• 1575210 avoid potential RegExp denial-of-service (Bump boto3 from 1.9.53 to 1.9.55 pypi/warehouse#5135)
• f766bab enhance `templates` (Bump importlib-metadata from 0.6 to 0.7 pypi/warehouse#5131)
• 436a293 enhance `dead_code` (Bump datadog from 0.24.0 to 0.25.0 pypi/warehouse#5130)
• 55418fd fix corner case in `rests` (Bump alembic from 1.0.3 to 1.0.5 pypi/warehouse#5129)
• 8578688 v3.14.2
• 4b88dfb tweak test & warnings (Increase our project limit size pypi/warehouse#5123)
• c3aef23 fix corner case in `reduce_vars` (Bump boto3 from 1.9.50 to 1.9.52 pypi/warehouse#5121)
• db94d21 fix corner case in `side_effects` (Feature request: "view source" tool for inspecting package contents pypi/warehouse#5118)
• 9634a9d fix corner cases in `optional_chains` (Bump boto3 from 1.9.49 to 1.9.50 pypi/warehouse#5110)
• befb99b fix corner case in `inline` (Bump botocore from 1.12.50 to 1.12.51 pypi/warehouse#5115)
• 02eb8ba fix corner case in `collapse_vars` (Bump pytest from 4.0.0 to 4.0.1 pypi/warehouse#5113)
• c09f63a fix corner case in `rests` (Add missing coverage pypi/warehouse#5109)

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 04f90c5 4.26.0
• e1df721 Merge pull request Bump isort from 5.2.2 to 5.3.2 pypi/warehouse#8392 from vkrol/cherry-pick-terser-to-webpack-4
• a818def fix for changed API in terser plugin warningsFilter
• b39abf4 Rename test directories too
• 311a728 Switch from uglifyjs-webpack-plugin to terser-webpack-plugin
• a230148 Merge pull request Bump boto3 from 1.14.29 to 1.14.32 pypi/warehouse#8351 from DeTeam/chunk-jsdoc-typo
• 7a0af76 Fix a typo in Chunk#split jsdoc comment
• 2361995 4.25.1
• e2a2016 Merge pull request The PyPA has adopted the PSF code of conduct pypi/warehouse#8338 from webpack/bugfix/issue-8293
• babe736 replace prefix/postfix even when equal for wrapped context
• dcd0d59 test for Fix BigQuery OOM issue by yielding rows into memory in smaller batches pypi/warehouse#8293
• af123a8 Merge pull request Bump botocore from 1.17.29 to 1.17.30 pypi/warehouse#8334 from webpack/bugfix/lint
• 36eb0bb move azure specific commands to azure-pipelines.yml
• 290094e 4.25.0
• 355590e Merge pull request Bump setuptools from 47.3.1 to 49.1.3 pypi/warehouse#8250 from Aladdin-ADD/patch-3
• 0293c3a Merge pull request Bump boto3 from 1.14.14 to 1.14.22 pypi/warehouse#8279 from smelukov/support-entry-progress
• 1ea411b Merge pull request Require to re-authenticate any time "important" or "destructive" actions are performed pypi/warehouse#8139 from NaviMarella/FormatManifest
• 4b72635 exclude watch test cases
• e35d084 increase test timeout
• 6be1411 move schema into definitions
• 3d74504 add missing hooks to progress
• 56d8a8f prevent writing the same message multiple times to stderr
• 64e3826 use flags to show different parts of the progress message
• 8c5e74f Merge branch 'master' into support-entry-progress

See the full diff

Package name: webpack-stream

The new version differs by 98 commits.

• 30a6da0 v7.0.0
• c2d19fd semistandard fixes
• 7805d59 Remove config.watch setting re-introduced from my bad merging
• 6395f19 Merge branch 'master' of github.com:shama/webpack-stream
• 7c24e86 Merge pull request [Snyk] Security upgrade black from 19.3b0 to 24.3.0 #212 from azt3k/master
• 3fc84f0 Merge branch 'master' into master
• 027135e Update comments to indicate it works with webpack 4 and 5
• bb7cd85 Merge branch 'master' of github.com:shama/webpack-stream
• 3287835 Merge pull request [Snyk] Security upgrade jinja2 from 2.10.1 to 3.1.4 #214 from the-ress/watch-message
• 141e063 Update watch for gulp >= 4
• 991d108 Merge pull request [Snyk] Security upgrade urllib3 from 2.0.7 to 2.2.2 #225 from emme1444/config-file-path
• 348eab2 Use const over var in docs
• 2b31461 Update copyright to 2021
• fdd5809 Update node engine to >= 10
• 80e0ba8 Updating dependencies
• 5759a17 Updating for semistandard@16.0.1
• 2ff8a4f Merge pull request [Snyk] Security upgrade setuptools from 40.5.0 to 70.0.0 #235 from marekdedic/webpack-5
• ff485fe Merge pull request [Snyk] Security upgrade setuptools from 40.5.0 to 70.0.0 #234 from marekdedic/webpack-peer-dependency
• 1baead2 Removed tests on Node 8
• f33fc04 Switched from hash to contenthash
• 0e30a7b Test: Fixed different chunk names in webpack 5
• 5bb70d1 Test: updated expected error message
• 99a1c03 Building in production mode by default
• 01ffd76 Updated to webpack 5

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic