[Snyk] Fix for 31 vulnerabilities

[nimatrazmjo]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-CSVPARSE-467403	Yes	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESSZIP-73598	Yes	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Prototype Pollution SNYK-JS-PLIST-2405644	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Command Injection SNYK-JS-SSH2-1656673	No	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	XML External Entity (XXE) Injection SNYK-JS-XMLDOM-1084960	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution npm:deep-extend:20180409	No	Proof of Concept
	369/1000 Why? Has a fix available, CVSS 3.1	SSL Validation disabled by default npm:electron-packager:20160422	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Timing Attack npm:http-signature:20150122	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Regular Expression Denial of Service (ReDoS) npm:plist:20180219	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	Yes	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: csv

The new version differs by 53 commits.

• a617a3f Bump to version 5.0.0
• 105932c package: latest dependencies
• 507e0c5 travis: test with Node.js 8, 10 and 11
• df098e0 Execute tests on Node.js 11 in CI
• bc407e0 travis: test with Node.js 7, 8 and 10
• 74a06c5 Bump to version 4.0.0
• 8d2621c es5: support older version of Node.js using Babel
• ef77448 readme: update project website url
• 57f0e19 sync: expose the sync api
• 18d4330 samples: new pipe_funny script
• 165accc samples: rewrite pipe with comments
• e817db7 README: update pipe sample
• 42eb7d3 Bump to version 3.1.0
• 82af87e csv-parse ^2.2.0 → ^2.4.0
• 4af54ec package: ignore lock files
• 8610ef6 Bump to version 3.0.2
• 6874819 package: generate js file before release
• de892f9 Bump to version 3.0.1
• 9552e35 package: attempt to re-submit npm package, no ./lib/index.js present fix #230
• 2522886 Bump to version 3.0.0
• 755ddb9 package: npm publishing workflow
• a45dea6 package: latest dependencies
• 6c689c8 package: create a changelog
• 42bceb6 package: use coffee 2

See the full diff

Package name: electron-packager

The new version differs by 250 commits.

• 5e8526a Remove accidentally committed package lock
• 537c27c 13.0.0
• d977deb Update related package links in readme
• a339b24 Use Travis CI for some Windows CI (#917)
• a533d5f Drop callback support (#916)
• 3cbb080 Remove deprecated target arch API (#915)
• 41bf218 Upgrade eslint-plugin-node to ^8
• c0c8014 Merge pull request #899 from electron-userland/notarize-support
• 229c69f Attempt to fix possible race condition with sinon.spy
• 8b9c16f Note which notarize sub-properties are required
• 5aa3d78 Reorganize some code, clarify docs, add tests
• 58c1453 feat: add support for mojave app notarization
• 3366253 Merge pull request #900 from electron-userland/drop-node-4
• 8be52c0 probot(request-info): check that issues/PRs don't have un-filled-in templates
• 8ea94db Upgrade to ESLint 5
• 20d9462 More package upgrades
• fa519cf Drop support for Node < 6
• b487df2 Merge pull request #823 from jsg2021/asar-filename
• 2183e42 Clean up
• a30d2cc Add prebuiltAsar option
• a5e0f62 12.2.0
• fb1656e Add link to electron-installer-windows (#817)
• 2164e17 Test refactors (#896)
• e3f18ec Don't handle EH/NP Helpers if they don't exist (#894)

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: mongodb

The new version differs by 250 commits.

• c6f417e chore(release): 3.1.13
• 210c71d fix(db_ops): ensure we async resolve errors in createCollection
• 5ad9fa9 fix(changeStream): properly handle changeStream event mid-close (#1902)
• e806be4 fix(bulk): honor ignoreUndefined in initializeUnorderedBulkOp
• 050267d fix(*): restore ability to webpack by removing `makeLazyLoader`
• 6e896f4 docs: adding aggregation, createIndex, and runCommand examples
• cb3cd12 chore(release): 3.1.12
• 508d685 Revert "chore(release): 3.2.0"
• e7619aa chore(release): 3.2.0
• d0dc228 chore(travis): include forgotten stage info for sharded builds
• ffbe90b chore(travis): run sharded tests in travis as well
• 9bef6e7 feat(core): update to mongodb-core v3.1.11
• e4bb39e chore(release): 3.1.11
• 76c0130 chore(core): bump version of mongodb-core
• a3adb3f fix(bulk): fix error propagation in empty bulk.execute
• ec0e30e doc(change-streams): correct typo, add missing example
• 10ea992 chore(package): update lock file
• fcb3ec1 test(sharded): reduce some sharded errors
• d4eae97 test(sessions): undo hack for apm events in sessions tests
• 0eaca21 test(sessions): fixing broken session test
• 6790a74 test(sharding): fixing old sharding tests
• 98f0c68 test(sharded): fixing sharded operation test
• c6a9baa test(sessions): fixing session tests in sharded env
• 985f0e9 test(drop): fixing drop assertions for sharded tests

See the full diff

Package name: tunnel-ssh

The new version differs by 63 commits.

• e798344 Merge branch 'master' of https://github.com/agebrock/tunnel-ssh
• 31ab585 Update version
• 39a4f21 Merge pull request Add a Bitdeli Badge to README officert/mongotron#89 from hackolade/master
• e3dec10 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path #1 from lenchvolodymyr/master
• 495209b Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path #1 from lenchvolodymyr/patch/update-ssh2-version-to-1.4.0
• ca11b41 set precise ssh2 version
• 5ebc25e update ssh2 version to 1.4.0 to fix vulnurability warning
• f88fc8e Merge branch 'master' of github.com:agebrock/tunnel-ssh
• 7a7daa7 Merge pull request Load package.json without blowing up officert/mongotron#71 from amilajack/patch-1
• 40b1649 Added travis ci support
• a040a5f Change minor version.
• 91c3771 Merge pull request Connecting to replica sets officert/mongotron#65 from mymyoux/master
• 7586304 Merge pull request Cannot query collection with "-" in the name officert/mongotron#68 from aberbegall/master
• 9d5e388 Create LICENSE
• 76379ea fix uncaught error from ssh2/lib/client#connect method
• d8f1de9 Merge pull request Error Connecting .. see screenshot officert/mongotron#63 from antoniobusrod/master
• 15b33fc Fix typo in `password` property name
• a3ac972 Package update
• d31d29a Merge pull request Chrome identifies the latest download as a virus officert/mongotron#58 from zylo/master
• b38dcd4 Merge pull request Failed at the Mongotron@1.0.0-alpha.1 postinstall script 'gulp dev-sym-links'. officert/mongotron#59 from HaroldPutman/patch-1
• c181def Minor syntax fix in example
• 8899249 upgrade debug to 2.6.9
• d5e2f5c Merge pull request Tabs title text overflows officert/mongotron#50 from ivarconr/patch-1
• df9a7a0 Upgrade debug to 2.6.8

See the full diff

Package name: underscore

The new version differs by 250 commits.

• bf5a0ed Merge branch 'template-variable-parameter'
• 7e3d404 Update annotated sources and minified bundles for 1.12.1
• 5343fbc Add version 1.12.1 to the documentation
• 44df929 Bump the version to 1.12.1
• 7e89b79 Un-document the fix for #2911 for the time being
• 4c73526 Fix #2911
• ef646cc Reflect real issue of #2911 in test from #2912
• a6159ff Fix indentation in the test from #2912
• 798eafa Update the link to the preview release (bugfix)
• 07cc415 Convert all RawGit links to Statically
• db7fb6a Add temporary note about preview release to index.html
• 548fa01 Merge pull request #2913 from ognjenjevremovic/test/time-tampering-tests
• 3a5c878 test: Assertion comment updates; `_.throttle` and `_.debounce`.
• 4d5d198 test: 💍 Time tampering tests for _.throttle and _.deobounce
• a4cc7c0 Add a test to confirm we are not vulnerable to CVE-2021-23337 (#2911)
• 745e9b7 Merge pull request #2896 from anderlaw/master
• af2f919 Correct "Non-numerical values in list will be ignored"
• c9b4b63 Put back test/vendor/qunit.* static files to fix live website tests
• 311b04e Merge pull request #2892 from kritollm/master
• 6568211 Make a comment render more nicely
• 0b93f06 Fixed a few more details
• 913bcf2 Resolved changes requested.
• 769a494 throttle cleanup
• 03f9781 Reimplementing timer optimization #1269

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Timing Attack
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn