[Snyk] Fix for 13 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	Yes	No Known Exploit
	758/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	No Known Exploit
	434/1000 Why? Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	641/1000 Why? Mature exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:concat-stream:20160901	Yes	Mature
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:jasmine-core:20180216	Yes	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt-contrib-jasmine

The new version differs by 45 commits.

• 201bb2a Release v2.0.3
• 9b18221 Upgrade npm dependencies
• d0e2572 fix: build only should pass if the buildSpecrunner runs without error
• 74855ed Update dependencies
• d65dd20 v2.0.2
• d7f652f Fix typo
• 55a5f1f Wait for spec runner before larunching browser
• 408a233 Set the startTime before calling sendMessage
• a30f731 Create new optional 'noSandbox' option to launching Puppeteer with no-sandbox arg.
• a88f31b Launching Puppeteer with no-sandbox arg.
• de29770 v2.0.1
• a71cc54 Use the grunt current working directory to find the jasmine core folder (Avoid inline styles when showing jstree-rename-input adobe/brackets#277)
• f3c320c Deals with File > New should create a new untitled/unsaved document adobe/brackets#274 (TODO cleanup adobe/brackets#275)
• a21b0b1 Implement options.version (Disable File > Close if no file is open adobe/brackets#273)
• 7d3dbdc update template usage (Serialize error dialogs for save failures adobe/brackets#272)
• 51feacb Update deps (Don't need to maintain _currentFilePath in FileCommandHandlers adobe/brackets#271)
• 02e72f3 Switch from PhantomJS to Chrome Headless via Puppeteer (Need to listen to document instead of window for activation in IE adobe/brackets#269)
• 55594d0 1.2.0
• 5fc2536 Update ci (Show keyboard equivalents in the menus adobe/brackets#268)
• cc8572c Fix deprecation warning in Node.js 7 (Fix issue #149 adobe/brackets#262)
• bce574c v1.1.0
• 3a00b18 fix(dependencies): Prevent npm from installing jasmine@2.5.0 (CVE-2023-46234 (High) detected in browserify-sign-4.2.1.tgz #247)
• a3fd486 Custom temp directory (CVE-2022-25883 (High) detected in multiple libraries #240)
• 7f678cb Merge pull request CVE-2022-0144 (High) detected in shelljs-0.7.8.tgz #235 from Arkni/master

See the full diff

Package name: grunt-eslint

The new version differs by 8 commits.

• f30dd97 21.0.0
• 476f21e Update eslint to ^5.0.0 (CVE-2020-7760 (Medium) detected in codemirror-5.30.0.js, codemirror-5.30.0.tgz - autoclosed #158)
• e1d6368 Require Node.js 6 and Grunt 1
• f7a2a05 20.2.0
• 1154917 Add `failOnError` option (CVE-2021-23362 (Medium) detected in hosted-git-info-2.8.8.tgz - autoclosed #154)
• 1d97ae7 20.1.0
• 7cb3039 Meta tweaks
• d3746ac Use to latest Chalk (CVE-2020-15366 (Medium) detected in ajv-4.11.8.tgz, ajv-5.5.2.tgz #151)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

[pull-assistant]

Best reviewed: commit by commit

---

Optimal code review plan

     fix: package.json & .snyk to reduce vulnerabilities

Powered by Pull Assistant. Last update d618f08 ... d618f08. Read the comment docs.