[Snyk] Fix for 19 vulnerabilities

[nathang21]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

As this is a private repository, Snyk-bot does not have access. Therefore, this PR has been created automatically, but appears to have been created by a real user.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-DOTPROP-543489	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Internal Property Tampering SNYK-JS-TAFFYDB-2992450	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: codecov

The new version differs by 25 commits.

• e427d90 feat(services): add azure pipelines (#114)
• 023d204 Use small HTTP dependency (#110)
• 500f308 Update Readme
• 0ce3c76 v3.1.0
• 7c1f16e fix: support `.codecov.yml`/`codecov.yml` files for token (#108)
• 1fff4dc Allow custom `yaml` file. (#107)
• 77d7a5e Add ESLint ([Snyk] Fix for 3 vulnerabilities #93)
• 625807c Removing Makefile (#104)
• 94cd1c6 Change from istanbul to nyc (#103)
• b0b580b Update README.md
• 08ca881 v3.0.4
• 012ef08 Update dependencies (#102)
• f954f91 Prettier (#101)
• 16efd18 Update README.md
• 49257a9 Update Readme
• 15cdae3 v3.0.3
• 39dc2d8 Support non-git/hg root dirs ([Snyk] Security upgrade npm from 5.8.0 to 7.0.0 #75)
• a19efbe Updated readme
• 31926f7 v3.0.2
• 1114b03 Stop outputting upload-token in logs (#97)
• e903e88 v3.0.1 (#96)
• 75cc0dd package: unpin request so i stop getting these vulnerability reports ([Snyk] Security upgrade snyk from 1.70.2 to 1.996.0 #91)
• 4a7561e add -X s3 to disable uploading to s3 ([Snyk] Security upgrade npm from 5.8.0 to 7.0.0 #84)
• 19facba Replace the `cd` command with the `pwd` option. ([Snyk] Security upgrade njwt from 0.4.0 to 2.0.1 #85)

See the full diff

Package name: jsdoc

The new version differs by 132 commits.

• 0842185 4.0.0
• b018408 chore!: replace taffydb package with @ jsdoc/salty
• dc48aa6 3.6.11
• cccfd3d chore(deps): resolve dependency vulnerability
• ff5963a fix(deps): rollback klaw to 3.x (#2002)
• 2bf9f88 3.6.10
• ffa07da remove `npm preinstall` script (#1971)
• aab7b50 3.6.9
• 24c1354 fix installation error when installing via npm (#1970)
• c5ea65a 3.6.8
• a024054 update dependencies
• e1f1919 3.6.7
• f7a64bd chore(deps): update selected dependencies
• 3f5c462 3.6.6
• 95e3192 fix: correctly track interface members
• ef05a69 3.6.5
• a59b5cd fix: prevent circular refs when params have the same type expression
• 8d0fce6 chore: bump version; update release notes
• 91c9aa7 chore(deps): update dependencies
• ef33f07 3.6.3
• 0e468af 3.6.2
• d5e0eb0 Add 3.6.2 changelog.
• 61ae11c Ensure that ES 2015 classes appear in the generated docs when they're supposed to. (#1644)
• 03b8abd Add 3.6.1 changelog.

See the full diff

Package name: nodeunit

The new version differs by 5 commits.

• cd773a2 Merge pull request #356 from brodybits/tap-12
• 98f5a33 package.json use tap@^12.0.1 & mark version 0.11.3
• 91564c2 .travis.yml updates
• 6bd262c README.md fix first 2 section markers
• ec2ea88 add deprecation notice

See the full diff

Package name: npm

The new version differs by 250 commits.

• 3b4ba65 7.0.0
• bbfc75d chore: fix weird .gitignore thing that happened somehow
• 8a2d375 docs: changelog for v7.0.0
• 365f2e7 [email protected]
• fafb348 [email protected]
• 9306c68 [email protected]
• 569cd64 [email protected]
• ac9fde7 Integration code for @ npmcli/[email protected]
• 704b9cd @ npmcli/[email protected]
• 3955bb9 [email protected]
• da240ef fix: patch config.js to remove duplicate values
• 9ae45a8 [email protected]
• 41ab36d [email protected]
• c474a15 [email protected]
• efc6786 fix: make sure publishConfig is passed through
• 1e4e6e9 docs: v7 using npm config refresh
• 5c1c2da fix: init config aliases
• 5bc7eb2 docs: v7 npm-install refresh
• 1a35d87 7.0.0-rc.4
• 7a5a557 docs: changelog for v7.0.0-rc.4
• f0cf859 chore: dedupe deps
• 0273745 [email protected]
• 7bd47ca @ npmcli/[email protected]
• 9320b8e only escape arguments, not the command name

See the full diff

Package name: nyc

The new version differs by 52 commits.

• 4a6b327 chore(release): 13.0.1
• ae5318b chore: Update istanbul dependencies. (#896)
• d0b76e2 fix: Enable es-modules by default. (#889)
• 6b6cd5e fix: add flag to allow control of intrumenter esModules option, default to looser parsing (#863)
• c325799 docs: reference babel 7 in all places (#881)
• 7483ed9 fix: use uuid/v4 to generate unique identifiers. (#883)
• 8ab1ae3 chore: update dependencies (#872)
• 52b69ef fix: Update caching-transform options. (#873)
• 624a723 chore: update dependencies (#866)
• a5818f5 chore(release): 13.0.0
• f0d98a5 docs: update README.md with babel configuration info (#860)
• 893345a feat: allow rows with 100% statement, branch, and function coverage to be skipped in text report (#859)
• f09cf02 chore: update dependencies (#855)
• d0f654c fix: source was being instrumented twice, due to upstream fix in ista… (#853)
• adb310c chore(release): 12.0.2
• ddc9331 fix: stop bundling istanbul-lib-instrument due to npm issue on Node 6 (#854)
• b4c325b fix: don't bundle istanbul-lib-instrument due to Node 6 issues
• 9fc20e4 chore(release): 12.0.1
• 3e087d4 chore: upgrade to version of istanbul with optional catch binding (#851)
• eaf3f70 chore(release): 12.0.0
• 19b7d21 chore: upgrade to newest version of istanbul codebase (#848)
• 570a08a chore(release): 11.9.0
• 1329a3b feat: add option that allows instrument to exit on error (#850)
• bc9ffe5 chore(release): 11.8.0

See the full diff

Package name: snyk

The new version differs by 10 commits.

• 933f3f1 feat: update snyk-resolve-deps to reduce size of dependencies
• 042c476 feat: remove update notifier
• 7e10aae feat: support yarn for protect scripts
• 6b6ce94 fix: dont suggest reinstallation for yarn projects
• 80e49fd fix: update test fixures expected version
• 38f993f fix: compatability with new pip version (10.0.0)
• db91114 feat: a seperate spinner for "Analyzing deps ..."
• 6a77349 fix: update snyk-go-plugin 1.4.5 -> 1.4.6
• 334f8b1 fix: remove vulns from analytics payload if present
• 58b5437 chore: adds security document

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn