[Snyk] Fix for 28 vulnerabilities

[Jankyboy]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	295/1000 Why? CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	405/1000 Why? CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No	No Known Exploit
	/1000 Why?	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	/1000 Why?	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-MERGE-72553	No	Mature
	387/1000 Why? Proof of Concept exploit, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	/1000 Why?	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	/1000 Why?	Arbitrary File Overwrite SNYK-JS-NPM-537603	Yes	Proof of Concept
	/1000 Why?	Unauthorized File Access SNYK-JS-NPM-537604	Yes	Proof of Concept
	/1000 Why?	Arbitrary File Write SNYK-JS-NPM-537606	Yes	Proof of Concept
	/1000 Why?	Insertion of Sensitive Information into Log File SNYK-JS-NPM-575435	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-NPMUSERVALIDATE-1019352	Yes	No Known Exploit
	220/1000 Why? CVSS 4.4	Time of Check Time of Use (TOCTOU) npm:chownr:20180731	Yes	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	No Known Exploit
	/1000 Why?	Access Restriction Bypass npm:npm:20180222	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: david

The new version differs by 14 commits.

• 73fc671 11.1.0
• 8497cae chore: update dependencies
• a198ada feat: ignore dependencies via globs (Does David-DM support regular git repositories? alanshaw/david-www#144)
• c29013f chore: update deps and README (olizilla is not alanshaw alanshaw/david-www#154)
• 008beaf Merge pull request if Bitbucket? alanshaw/david-www#146 from DanielRuf/chore/cache-node-modules
• d0a2e19 Merge branch 'master' into chore/cache-node-modules
• d180e8d Merge pull request add support/notifications for compromised modules alanshaw/david-www#147 from DanielRuf/chore/add-nodejs-8-10
• cc5db9f Merge pull request npm install --> npm ERR! Error: No compatible version found alanshaw/david-www#145 from DanielRuf/chore/clone-last-5-commits
• 9aeda4e chore: cache node_modules
• d4bf0e6 chore: clone last 5 commits
• db2c1f2 chore: add Node.js 8 and 10
• a3dd565 Remove hr
• 6485fcd Merge pull request Website returns error 503 alanshaw/david-www#138 from alanshaw/greenkeeper-standard-10.0.2
• 4680e0e chore(package): update standard to version 10.0.2

See the full diff

Package name: isomorphic-fetch

The new version differs by 12 commits.

• fc5e0d0 3.0.0
• 496fa43 Add version that was previously uncomitted to the package.json due to the previous release process
• 9f5a8b6 Add a list of alternatives
• 49280e6 Resolve minor security issue
• 0f5edd0 Explain why Isomorphic Fetch is needed in docs (Update dependencies. alanshaw/david-www#135)
• e32b006 Fix travis (Wrong security information alanshaw/david-www#190)
• db0aa8c Update to latest version
• 8bf02c4 Bump node-fetch from 1.7.3 to 2.6.1 (List repos in organization profile page alanshaw/david-www#189)
• 89c7e70 Merge pull request Updates alanshaw/david-www#93 from paulmelnikow/fetch_ponyfill
• 25e3cab Add link to fetch-ponyfill
• 8d33aba Merge pull request Minor improvements (2) alanshaw/david-www#90 from josiah0/update-lintspaces-cli
• c22fcda Update lintspaces-cli

See the full diff

Package name: merge

The new version differs by 29 commits.

• 56ca75b build: v2.1.1
• 7b0ddc2 fix: prototype pollution
• 8686d85 build: bump version
• 80151be build
• 0acaaf3 build: update dev dependencies
• f571887 Merge pull request Allow popular module pack graph to spill into right hand column on homepage alanshaw/david-www#38 from 418sec/master
• 869927f Merge pull request [Snyk] Fix for 21 vulnerabilities #1 from alromh87/master
• c2f8454 Fix Prototype Pollution
• bf8b1ff build: include typings
• ece8885 Merge pull request [Snyk] Security upgrade uglify-js from 3.3.12 to 3.14.3 #32 from yeikos/develop
• 43ffa43 build: include only needed files
• 7bf0fc8 fix: export default function (typings)
• 159e724 build: bump version
• 21f4105 fix: default typings
• 36d4b9c build: new npm scripts
• eabfd6f build: CommonJS support
• bf85170 test: add merge script
• 75ba781 build: add editor config
• 2d2b54a build: update ignored files
• b36036a docs: remove license copyright
• 1385593 build: update main script and description
• 2b22e6b docs: update readme
• 7cc6574 build: package-lock.json
• 29e46a8 build: ts and webpack config

See the full diff

Package name: meta-marked

The new version differs by 5 commits.

• d5de553 Bump minor versions of dependencies and bump version
• 1cc2163 Merge pull request [Snyk] Security upgrade node-sass from 4.13.1 to 6.0.1 #19 from j201/dependabot/npm_and_yarn/minimist-1.2.5
• 6448630 Bump minimist from 1.2.0 to 1.2.5
• 44c5db0 Merge pull request [Snyk] Security upgrade cssnano from 3.10.0 to 4.0.0 #17 from garyjzhao/gz/update-dependencies
• 0c73f6a updated dependencies to fix vulnerabilities

See the full diff

Package name: mkdirp

The new version differs by 4 commits.

• b2e7ba0 0.5.2
• c5b97d1 bump minimist to 1.2 to fix security issue
• f2003bb test: add v4 and v5 to travis
• b8629ff tools: update tap + mock-fs. Fix broken test

See the full diff

Package name: npm

The new version differs by 250 commits.

• 66092d5 6.14.6
• 46e91d9 update AUTHORS
• 66aab41 docs: changelog for 6.14.6
• 94eca63 npm-registry-fetch@4.0.5
• a9857b8 chore: remove auth info from logs
• 479e45c style: fix lint error with no trailing comma
• 1aec4cb test: add test for `npm doctor` that ping registry returns error
• b7ad775 fix: wrong `npm doctor` command result
• 9a2e2e7 docs: Fix typo
• c49b6ae spdx-license-ids@3.0.5
• 3dd429e docs: Add note about dropped `*` filenames
• 0ca3509 Update npm-link.md
• 2e05298 chore(docs): fixed links to cli commands
• abdf528 6.14.5
• 074f9a5 update AUTHORS
• 1238ee0 chore: remove slack notification
• 19a0230 docs: updated node-gyp links
• 36c878d chore: remove pyc files from tarball
• 0f219cc chore: reenable windows ci
• 725bef8 docs: changelog for 6.14.5
• e6d2083 nopt@4.0.3
• 8228d1f mkdirp@0.5.5
• 07a4d88 graceful-fs@4.2.4
• 5587ac0 npm-registry-fetch@4.0.4

See the full diff

Package name: prop-types

The new version differs by 23 commits.

• fa6fbb7 15.6.2
• 5115f5c Merge pull request Update libs alanshaw/david-www#180 from jaller94/master
• 2ac742c Merge pull request New apple-touch-icon.png and logo images. alanshaw/david-www#171 from barrymichaeldoyle/master
• a7a5a64 Merge pull request The API does not support CORS alanshaw/david-www#194 from facebook/no-fbjs
• d6c9c5c Preserve "Invariant Violation" name
• 07d1b47 Remove fbjs dependency
• 3c99d57 Remove trailing spaces
• a36cda8 Move explanation of `isRequired` and show it in `PropTypes.shape`
• ba3da12 Show that shapes can have required properties
• 2bde8eb Add example for `PropTypes.exact`
• d65f80e Updated vars to consts and lets in PropTypesProductionStandalone-test.js
• c10c93f Updated vars to consts and lets in PropTypesDevelopmentStandalone-test.js
• 8e2b34e Updated vars to consts and lets in PropTypesDevelopmentReact15.js
• c5527c8 Updated vars with consts and lets in PropTypesProductionReact15-test.js
• 7cc8c81 Add 15.6.1 to CHANGELOG
• 5df7296 15.6.1
• b7d03ce Point readme to correct docs for production builds (Watching dependencies alanshaw/david-www#153)
• a94243f Update the repository location (devDependency checks down? alanshaw/david-www#148)
• 77c62a7 Fix failing tests (Properly disable warnings in grunt-contrib-uglify. alanshaw/david-www#129)
• 644844c Merge pull request DevDependencies page keeps "loading" and never updates alanshaw/david-www#140 from flarnie/master
• 0b5db12 Add `CODE_OF_CONDUCT`
• a6900f0 Add CONTRIBUTING.md
• 492e230 Update README.md with improved importing for CDNs (Multiple package.json(s) alanshaw/david-www#104)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	/1000 Why?	Denial of Service (DoS) npm:qs:20140806-1	No Known Exploit
	/1000 Why?	Remote Memory Exposure npm:request:20160119	No Known Exploit
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

[rtd-helper]

The rtd-bot is activated, but no .github/config.yml found in this repository.
Make sure that you have it in your default branch.

[rtd-helper]

The rtd-bot is activated, but no .github/config.yml found in this repository.
Make sure that you have it in your default branch.