[Snyk] Fix for 13 vulnerabilities

[snyk-io]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • workspaces/arborist/test/fixtures/tap-with-yarn-lock/node_modules/map-age-cleaner/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00396, Social Trends: No, Days since published: 1136, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	218/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Changed, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.0006, Social Trends: No, Days since published: 375, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Critical, Package Popularity Score: 99, Impact: 10.1, Likelihood: 2.16, Score Version: V5	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	Yes	Proof of Concept
	218/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Changed, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.0006, Social Trends: No, Days since published: 375, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Critical, Package Popularity Score: 99, Impact: 10.1, Likelihood: 2.16, Score Version: V5	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	Proof of Concept
	169/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 162, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.81, Score Version: V5	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	Yes	Proof of Concept
	61/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00071, Social Trends: No, Days since published: 856, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 1.45, Score Version: V5	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	141/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.01055, Social Trends: No, Days since published: 327, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.35, Score Version: V5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	179/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01027, Social Trends: No, Days since published: 667, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 7.84, Likelihood: 2.28, Score Version: V5	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	124/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 162, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.06, Score Version: V5	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	Yes	No Known Exploit
	114/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00285, Social Trends: No, Days since published: 1241, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.9, Score Version: V5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	115/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 982, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.92, Score Version: V5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	137/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00044, Social Trends: No, Days since published: 1681, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.42, Score Version: V5	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	58/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00117, Social Trends: No, Days since published: 2437, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.42, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	73/1000 Why? Confidentiality impact: High, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Local, EPSS: 0.01055, Social Trends: No, Days since published: 2246, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.21, Score Version: V5	Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ava

The new version differs by 250 commits.

• 9bc615e 4.0.0
• f09742f Clean up documentation in preparation for AVA 4
• 0187779 Dependency updates
• 29024af Test compatibility with TypeScript 4.5
• 8df118b Use AVA 4 for the self-hosted tests
• bedd1d0 Remove dependency on `equal-length`
• d4ec097 Improve wording in TypeScript recipe
• b3a1b72 Mention experimental specifier resolution in TypeScript recipe
• 77623a5 Handle path sources
• 5cdeb9d 4.0.0-rc.1
• 88e7680 Final ESM tweaks
• 60b7cf8 Align shared worker protocol identifier with provider protocols
• ad521af Graduate shared workers to be non-experimental
• 0edfd00 Skip flaky tests in CI
• c4f6723 Use thread IDs
• af30e73 Remove dead code and obsolete TODOs
• 6ed3ad1 Reduce XO exceptions
• 5a48893 Update XO and fix problems
• a7737cd Update dependencies
• dc405ef Fix Mongoose recipe
• c214512 Find ava.config.* files outside of project directory
• 44aebd9 Exclude more files from code coverage
• def2885 Improve handling of temporary file changes in watch mode
• 1a62f15 Switch to .xo-config.cjs

See the full diff

Package name: del-cli

The new version differs by 27 commits.

• f6e4605 6.0.0
• de54031 Require Node.js 18 and update dependencies
• 028ebb1 Meta tweaks
• 7de3b1e 5.1.0
• f32b531 Add `--verbose` flag ([Snyk] Security upgrade tap from 16.3.10 to 18.0.0 #37)
• dde9e11 Fix broken build ([Snyk] Security upgrade tap from 2.3.4 to 18.0.0 #36)
• e3f6996 5.0.1
• 537e5b3 Fix Windows compatibility for use with `npx`
• 68c4194 5.0.0
• b977982 Require Node.js 14
• 1f012a4 Document difference with other tools ([Snyk] Fix for 8 vulnerabilities #28)
• 1e9d718 4.0.1
• 72e377d Upgrade dependencies
• bbab826 4.0.0
• 4c65d87 Require Node.js 12 and upgrade dependencies
• 66d9ed2 Move to GitHub Actions ([Snyk] Fix for 4 vulnerabilities #20)
• 5ceb4e9 Minor tweaks
• 7c72385 Readme tweaks ([Snyk] Security upgrade tap from 16.3.10 to 18.0.0 #17)
• c1bcb2b 3.0.1
• 7e6ac3e Meta tweaks
• 922e9fe Update meow from v5 to v6 ([Snyk] Fix for 3 vulnerabilities #16)
• abbd27d Use double-quotes in examples because Windows 💩
• 58c2fe0 3.0.0
• 20072b1 Update del and devDependencies ([Snyk] Fix for 50 vulnerabilities #12)

See the full diff

Package name: nyc

The new version differs by 196 commits.

• fee2821 chore(main): release nyc 17.0.0 ([Question / Help]: How can we make sure if version in package-lock satisfies the version mentioned in package.json ? npm/cli#1558)
• 10daacc build: explicitly point to config files
• 8120112 test: remove dependency on "true" which is not on all windows sytems
• f6e5aba chore(main): release 16.0.0 (Create SessECURITY.md npm/cli#1554)
• b6ed598 fix(deps): address security alerts in deps (docs: fix build error from libvips + sharp npm/cli#1555)
• dda8e44 build: migrate to main branch (npm init v7 npm/cli#1553)
• 9ef340e build: move tests over to latest tapjs (i'm trying to install expo cli but this error _npm ERR! cb() never called! , Killed me npm/cli#1552)
• ab7c53b chore: Remove package-lock.json
• 91ae8b8 chore(deps-dev): bump standard-version from 8.0.0 to 8.0.1
• a6336e1 chore(deps): bump lodash from 4.17.15 to 4.17.19
• 82811ef docs: Mention custom reporter usage ([BUG] npm install --link should respect the save options (imho) npm/cli#1296)
• 37ce8a6 docs: Add introductory section to README ([BUG] npm audit fix updates a module when it is a major change. npm/cli#1339)
• 046a1a9 chore: Tweak self-coverage implementation (Semver cannot be used with Github gists npm/cli#1329)
• de7baa4 chore(release): 15.1.0
• 992359a feat(experimental): Support using `--all` with node.js ESM ([BUG] <title> npm/cli#1320)
• 086fd20 chore: Regenerate package-lock, update source-map-support test ([FEATURE] <title> npm/cli#1314)
• b20f751 chore: add `bugs` (used, e.g., by npmjs) ([FEATURE] <title> npm/cli#1313)
• 6898e88 chore: Fix CHANGELOG.md version header
• d9a76d5 chore(release): 15.0.1
• 3a577f0 fix: Ignore insignificant lines when coalesce text report ([BUG] npm pack completes successfully even if main is not present in the package npm/cli#1300)
• df34c1c fix: Data merge concurrency limit to prevent OOM ([QUESTION] <title> npm/cli#1293)
• befbf08 chore: A test where nyc output help text to stderr was flaky (Return a more precise error on 403 PUT error for existing package npm/cli#1269)
• 9260a70 docs: Remove `nyc` containing object in json config examples (Package install failed,[BUG] <title> npm/cli#1276)
• bed4729 chore: Minor Markdown tweaks ([BUG] npm install is not working with latest npm npm/cli#1256)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Prototype Pollution

[sourcery-ai]

🧙 Sourcery has finished reviewing your pull request!

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot (hey, snyk-io[bot]!). We assume it knows what it's doing!
• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.