[Snyk] Fix for 27 vulnerabilities

[joanjoantan]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-535498	Yes	Proof of Concept
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-535500	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Out-of-bounds Read SNYK-JS-NODESASS-540958	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Uncontrolled Recursion SNYK-JS-NODESASS-540964	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-NODESASS-540978	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	NULL Pointer Dereference SNYK-JS-NODESASS-540992	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-540998	Yes	Proof of Concept
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-NODESASS-541000	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-541002	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	324/1000 Why? Has a fix available, CVSS 2.2	Uninitialized Memory Exposure npm:utile:20180614	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (Sprint Planning sessions review.  alphagov/govuk-prototype-kit#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (Allow sass to live update when there are square brackets in the path alphagov/govuk-prototype-kit#1859)
• 723cbc4 Docs: Fix syntax in recipe example (Release GOV.UK Prototype Kit 12.3.0 alphagov/govuk-prototype-kit#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (Add support for middleware property to govuk-prototype-kit-config.json file alphagov/govuk-prototype-kit#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (Ensure kit handles line endings consistently alphagov/govuk-prototype-kit#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (Fix plugin status within plugin instructions alphagov/govuk-prototype-kit#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (Medium priority documentation changes for v13 release  alphagov/govuk-prototype-kit#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (Add tests for password page alphagov/govuk-prototype-kit#1609)

See the full diff

Package name: gulp-clean

The new version differs by 2 commits.

• 1b2503e Merge pull request [Snyk] Security upgrade gulp-sass from 3.1.0 to 5.0.0 #30 from kuangyeheng/pl
• d83c56a remove gulp-util

See the full diff

Package name: gulp-mocha

The new version differs by 28 commits.

• 983b0ac 5.0.0
• 7bc8d9c Add example of using the `exit` option (Make Windows Heroku guidance clearer alphagov/govuk-prototype-kit#185)
• 3f53145 Add example of using reporterOptions in readme.md (Smart quotes make command invalid alphagov/govuk-prototype-kit#179)
• 5045939 Improve usage example
• 64fef33 Bump Mocha to v4
• 06b96ba Meta tweaks
• ac3d7fc Drop dependency on deprecated `gulp-util` (Proposal: auto redirect to https alphagov/govuk-prototype-kit#187)
• 67b1e3e 4.3.1
• 315275f Rewrite tests to use AVA
• 4ac3c98 Cleanup
• 9ddcbd0 Convert objects to key value lists. Closes OGL logo is duplicated in footer alphagov/govuk-prototype-kit#167 (Adds gov-uk custom filters lib file alphagov/govuk-prototype-kit#171)
• 55004ca Fix `require` option for multiple entries (Add session to the kit alphagov/govuk-prototype-kit#173)
• e878086 4.3.0
• 9cedf6e Increase the max buffer
• 43f4b4d 4.2.0
• edfa4dd Forward stderr too (Broken link and typo alphagov/govuk-prototype-kit#168)
• 9e5d38a Minor readme tweaks
• 92ec619 4.1.0
• 915351f Use the local Mocha dependency of this package
• bf30380 Print mocha output immediately, not when process finished (Minor documentation update alphagov/govuk-prototype-kit#160)
• 12d44db Convert all arrays to comma separated lists for Mocha
• fbcaf85 Add compiler option description to the readme (DO NOT MERGE Auto data storage alphagov/govuk-prototype-kit#157)
• 32afe0d 4.0.1
• 4e05dce Add manual test gulpfile

See the full diff

Package name: gulp-sass

The new version differs by 38 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 (Publish Make a page guide in Prototype Kit alphagov/govuk-prototype-kit#802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue (Al/stack rollback alphagov/govuk-prototype-kit#776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times (Fix sass error alphagov/govuk-prototype-kit#763)
• 7ab018e Migrate to the lodash package
• fa670c6 4.0.2
• fefa00e Revert package.json version bump
• 98254d2 Fix README typos
• 8a14419 Continue loading Node Sass by default
• 938afbe Add a note about synchronous versus asynchronous speed
• 7cc2db1 Make this package implementation-agnostic
• 643f73b Add documentation for synchronous code options
• 0b3c7e7 4.0.1
• daca90d Merge pull request Release 8.6.0 alphagov/govuk-prototype-kit#681 from DKvistgaard/master
• 71471c2 Declaring logError as function instead of arrow function.
• 450a7b8 4.0.0
• e9b1fe8 Fix node versions in appveyor.yml
• 44be409 Merge pull request Add acorn to dependency to fix npm Warning alphagov/govuk-prototype-kit#667 from dlmanning/next
• 7656eff Adopt airbnb eslint preset
• 1293169 Bump autoprefixer@^8.1.0, gulp-postcss@^7.0.1
• 9fa817b Bump gulp-sourcemaps@^2.6.4

See the full diff

Package name: nunjucks

The new version differs by 250 commits.

• 53d1223 Release v3.2.1
• 93129bf Replace yargs with commander
• 17691da Chokidar bump
• 40dfdf0 Remove dead link
• cefb1cf Prevent optional dependency Chokidar from loading when not watching
• 1485a44 Add badges in README.md
• 2246457 Add Mozilla Code of Conduct file
• ff5571c Release v3.2.0
• f997a52 Add NodeResolveLoader
• 34b0a26 Fix syntax typos in CONTRIBUTING.md
• 55e0b7a Set dash as joiner element
• c99154e Update faq.md
• 1338712 Emit 'load' events on Loader and Environment instances
• 057e7b3 Add test for line/column info in user-function exception
• bcf38f3 Emit line and column info for functions
• fbddcd5 lexer more accurately tracks token line and column information
• 889ef80 Add nodejs versions 10 and 11 to CI, remove 6 and 9
• b828158 Fix documentation typo
• 1370361 v3.1.7
• 0a65e1f Fixes for replace example
• 2946fb4 Removed postinstall-build in favor of npm prepare script
• 9fd5bdb Add link to Plugin syntax highlighting for VSCode
• 68ba15c Fix bug where exceptions were silently swallowed with synchronous render
• 7c187ac tests: fix issue running tests on node 10.x

See the full diff

Package name: prompt

The new version differs by 79 commits.

• fbf6dac 1.2.0
• fef3933 Move off abandoned utile dependency Remove references to "latest version" of Node alphagov/govuk-prototype-kit#213
• 33febea add eslint
• c071b85 Merge pull request Stop using govuk mustache template module alphagov/govuk-prototype-kit#198 from caub/1.1
• 88c403e 1.1.0
• 756fa65 Fix inconsistent options.noHandleSIGINT for windows
• 8d5495c Merge pull request Make it easier to work with phase banners alphagov/govuk-prototype-kit#196 from caub/promisify
• 33ddf56 prompt.get promise: add test, update readme
• b92a9a9 promisify prompt.get
• 0ff93b6 Merge pull request Feature: Templates for common page types alphagov/govuk-prototype-kit#184 from dsych/windows-sigint
• 9e80863 triggering sigint on windows
• 1c95d1d Merge pull request Adds gov-uk custom filters lib file alphagov/govuk-prototype-kit#171 from blahah/master
• 65ac6e2 Merge pull request Fix closing </span> element alphagov/govuk-prototype-kit#172 from Shank09/Shank09-package.json
• d03edd0 Added missing keywords in package.json
• df42a26 Respect falsy overrides (fixes Proposal: move examples and guidance to /docs alphagov/govuk-prototype-kit#151)
• b732102 Merge pull request Fix broken url and typo alphagov/govuk-prototype-kit#169 from jordanyaker/master
• 6ebf54a Removed the pkginfo dependency. Updated the required version of winston.
• 7d1a28f Removed the pkginfo dependency.
• d550674 Merge pull request Idea - indicate 'master' in the kit, so we know if people aren't using a release alphagov/govuk-prototype-kit#163 from Eagerod/fixer/add-properties
• 9b5f65b Added a test addProperties() with no parameters.
• fb83773 Fixed an issue where the first parameter in a callback would not be the
• e7b5449 Merge pull request Add version to index page alphagov/govuk-prototype-kit#121 from rubbingalcoholic/master
• e493cb8 Merge pull request Add tutorial files alphagov/govuk-prototype-kit#153 from devrelm/devrelm.function-defaults
• 3046431 Merge pull request fix port restart issue alphagov/govuk-prototype-kit#156 from littleguga/master

See the full diff

Package name: run-sequence

The new version differs by 15 commits.

• 31103da 2.2.1
• 209e46c Drop dependency on deprecated `gulp-util` (Add warning if folder missing or module missing alphagov/govuk-prototype-kit#100)
• 37e17be 2.2.0
• c450122 Changelog, cleanup for orchestration events change
• 2155560 handle orchestration aborted events (Create config file that stores prototype configuration alphagov/govuk-prototype-kit#97)
• 066b8c6 2.1.0
• dada3f4 Added date to v1 in changelog
• f2b1635 Added options, code cleanup
• 578d017 Added a changelog, Closes Update guidance pages alphagov/govuk-prototype-kit#82
• 9fd7783 2.0.0
• d80ddf5 Specify chalk version (npm install gives warnings alphagov/govuk-prototype-kit#89)
• 59515cf Fixed typo
• 7e263af Ignore yarn lock when publishing
• b83cc34 Adding Yarn lockfile
• ee04d48 Added modern node versions to travis ci (Add missing class of form control alphagov/govuk-prototype-kit#73)

See the full diff

Package name: standard

The new version differs by 250 commits.

• 9c505a9 13.0.0
• 7f3dd5d eslint-config-standard-jsx@7.0.0
• 8cfb0ee eslint-config-standard@13.0.0
• e235cb5 changelog 13.0.0
• f125f0c add link to security disclosure policy
• bd44694 add nodejs logo; change logos to 4 per row
• f7f98bf Update CHANGELOG.md
• 5e6315c remove badge
• e3862be Update AUTHORS.md
• f796995 13.0.0-0
• 16ffaef Update CHANGELOG.md
• c1f817e bump deps
• ffb0b8e travis: drop node 6, add node 12
• d5565b5 Update CHANGELOG.md
• 4dcd00a add Nuxt.js logo
• ee3104d compress logos
• 6e077d7 standard
• d33bfe9 Merge pull request Let users know about removal of v6 support alphagov/govuk-prototype-kit#1308 from munierujp/update_japanese_documents
• dd8fe00 Create FUNDING.yml
• 318bfac readme/changelog: global installation changes
• 329a2e0 readme: fix typescript instructions
• db61e3f Update CHANGELOG.md
• 7c661eb Automatically pass on Node 6 or earlier
• 0cfc932 Update Japanese document for 40d1d5e

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 NULL Pointer Dereference
🦉 More lessons are available in Snyk Learn