[Snyk] Fix for 1 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LODASH-6139239	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt-contrib-imagemin

The new version differs by 12 commits.

• 3352598 v1.0.0
• 212ec99 Merge pull request #329 from sapegin/patch-1
• 210552c Update imagemin to 4.0.0.
• 240c7c3 package.json: fix non-standard license.
• 940cdb4 Travis CI: install npm to fix test failures on node.js 0.10.
• 70cbdd4 Update appveyor.yml.
• 11daf26 CI: test node.js 4.0.
• 93f6964 Merge pull request #313 from carterchung/master
• db388f7 Fix punctuation error in README.md
• 27467d0 update readme links
• 21f151e Update appveyor.yml.
• 3bb14c8 Small tweaks

See the full diff

Package name: grunt-contrib-jasmine

The new version differs by 60 commits.

• 201bb2a Release v2.0.3
• 9b18221 Upgrade npm dependencies
• d0e2572 fix: build only should pass if the buildSpecrunner runs without error
• 74855ed Update dependencies
• d65dd20 v2.0.2
• d7f652f Fix typo
• 55a5f1f Wait for spec runner before larunching browser
• 408a233 Set the startTime before calling sendMessage
• a30f731 Create new optional 'noSandbox' option to launching Puppeteer with no-sandbox arg.
• a88f31b Launching Puppeteer with no-sandbox arg.
• de29770 v2.0.1
• a71cc54 Use the grunt current working directory to find the jasmine core folder (#277)
• f3c320c Deals with #274 (#275)
• a21b0b1 Implement options.version (#273)
• 7d3dbdc update template usage (#272)
• 51feacb Update deps (#271)
• 02e72f3 Switch from PhantomJS to Chrome Headless via Puppeteer (#269)
• 55594d0 1.2.0
• 5fc2536 Update ci (#268)
• cc8572c Fix deprecation warning in Node.js 7 (#262)
• bce574c v1.1.0
• 3a00b18 fix(dependencies): Prevent npm from installing jasmine@2.5.0 (#247)
• a3fd486 Custom temp directory (#240)
• 7f678cb Merge pull request #235 from Arkni/master

See the full diff

Package name: grunt-contrib-less

The new version differs by 77 commits.

• e6e4c29 Merge pull request #308 from gruntjs/deps
• 30f5d4b v1.3.0.
• c116cc0 Update CI configs from the latest grunt-contrib-internal.
• 6ecb76e Update lodash.
• c8506f1 Ignore latedef for now as it is used in this task
• 6065301 Update grunt and devDeps to 1.0
• 3e26653 Update docs.
• 27eea93 Update CHANGELOG.
• 2e7ea1e Merge pull request #297 from adjohnson916/patch-2
• 4df7f08 Merge pull request #298 from adjohnson916/patch-1
• 57e25ff Fix tests inconsistency.
• 6debbb4 v1.2.0 bump
• c3168e6 v1.2.0
• 43610ab Merge pull request #302 from plesiecki/patch-1
• a2db4bd update less
• 33ad236 Merge branch 'master' of github.com:gruntjs/grunt-contrib-less
• 5d5b5d6 Point main to task
• 6b5ac2d Remove peerDeps. Ref Remove peerDependencies from plugins gruntjs/grunt#1116
• e5faef8 Merge pull request #301 from ktkaushik/master
• 14a1582 adding register task name issue on README for better clarity
• 28f23e7 Update copyright to 2016
• 44b4073 Add period to plugins option in README.
• 69f153a README consistent LESS, data URI, code blocks.
• 5dab417 CI: Remove node.js '0.12' and add '5'.

See the full diff

Package name: grunt-eslint

The new version differs by 6 commits.

• 850ebc1 18.0.0
• 47eaced Close [Snyk] Fix for 2 vulnerabilities #108 PR: Updated ESLint to 2.0.0.
• 4c6a79b 17.3.2
• 7954851 don't log newline when no output
• 9f593a9 Merge pull request [DepShield] (CVSS 8.8) Vulnerability due to usage of grunt:0.4.5 #102 from ntwb/patch-1
• 24912ca Travis CI: Test on Node.js v4.x.x and v5.x.x

See the full diff

Package name: grunt-jscs

The new version differs by 22 commits.

• afe900c Release v3.0.0
• 4f2cbe2 Bump jscs to 3.0.4
• 33894a5 Update grunt to 1.0.1 and update grunt-contrib-nodeunit to 1.0.0 ([Snyk] Fix for 3 vulnerabilities #124)
• 3787cd4 Merge pull request #125 from paladox/patch-11
• 93fae93 Release v2.8.0
• e6850df Bump dependencies
• efe03eb Bump jscs to 2.11
• bd03360 Bump lodash and jshint versions
• ed026d9 Release v2.7.0
• aa8ec81 Use lodash `isEmpty` method instead of our own implementation
• 044e67c Bump jscs version to 2.9
• 36e8e61 Release v2.6.0
• e26c599 Bump dependencies
• 017d9f7 Misc: add nodejs 5 to travis
• 7210c59 Release v2.5.0
• cf81ca2 Bump jscs version to 2.7.0
• 1fcd82b Release v2.4.0
• 7a87b6a Update jscs to 2.6.0
• 40db752 Update grunt-contrib-jshint to 0.11.3
• 8ae5126 Add grunt as dependency so grunt runs
• d13072f Release v2.3.0
• d8fef95 Update jscs to 2.5.0 version

See the full diff

Package name: grunt-replace

The new version differs by 16 commits.

• e2752e4 Remove .DS_Store from root.
• e57f6ef General improvements and dependencies bump.
• 2133feb Version 1.0.1 released.
• 63eba05 Update README.md file.
• efc6db1 Version 1.0.0 released.
• e9e12cc Version 0.11.0 released.
• a41b97b Version 0.10.2 released.
• e035a65 Earlier version commit.
• f424ba7 Version 0.10.1 released.
• 53a4071 Earlier version commit.
• b9b3b0e Earlier version commit.
• e611189 Earlier version commit.
• 6ee3c84 Earlier version commit.
• caa9d18 Earlier version commit.
• 8e1adf5 Earlier version commit.
• 5657061 Version 0.10.0 released.

See the full diff

Package name: load-grunt-config

The new version differs by 36 commits.

• f5fdb0d Release 0.18.0
• 736d419 Updated load-grunt-tasks dependency from ~0.3.0 to ~3.3.0
• 6be99f6 Release 0.17.2
• e301bba Merge pull request #128 from luisfmsouza/master
• d19f517 Updating dependencies
• d97d6d0 Merge pull request [Snyk] Security upgrade grunt-contrib-jasmine from 0.9.2 to 1.0.0 #121 from SolomoN-ua/cson
• 778e800 Updated cson dependency
• c538e3b Merge pull request [Snyk] Security upgrade grunt-contrib-less from 0.12.0 to 1.0.1 #120 from jigardafda/master
• febabc4 removed unnecessary loop to find fullpaths
• 264c425 Release 0.17.1
• 952818d Merge branch 'master' into pr/95
• 12a3595 fixed tests
• 2c50e02 Revert "load js-yaml full schema support to allow regexp"
• 141ff89 fixed jshint
• 2f3da44 Merge branch 'firstandthird-master'
• ca65cc6 Merge branch 'master' of https://github.com/firstandthird/load-grunt-config into firstandthird-master
• 44f59ac Release 0.17.0
• 852b041 Merge pull request [Snyk] Security upgrade grunt-contrib-less from 0.12.0 to 1.0.0 #111 from eliep/master
• a1967cd Merge pull request [DepShield] (CVSS 7.5) Vulnerability due to usage of debug:2.2.0 #97 from itkoren/yaml-full
• ac34d09 Merge pull request [DepShield] (CVSS 7.4) Vulnerability due to usage of lodash._pickbycallback:3.0.0 #103 from FredyC/cson-support
• 5def14a Merge pull request [Snyk] Fix for 1 vulnerabilities #113 from pierceray/descexample
• 47be3d3 Merge pull request [Snyk] Fix for 1 vulnerabilities #106 from FredyC/custom-merge
• a6ad5eb Adds a small example for adding a description to the yaml
• c86f2ae Aliases to functions when the alias is an object with a description

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/grunt-contrib-imagemin@1.0.1	filesystem Transitive: environment, eval, network, shell, unsafe	+183	1.99 MB	kevva
npm/grunt-contrib-jasmine@2.2.0	filesystem Transitive: environment, eval, network, shell, unsafe	+193	21.9 MB	vladikoff
npm/grunt-contrib-less@1.4.1	Transitive: environment, eval, filesystem, network	+20	3.95 MB	xhmikosr
npm/grunt-contrib-watch@1.1.0	Transitive: environment, filesystem, network	+17	486 kB	shama
npm/grunt-eslint@18.0.0	Transitive: environment, eval, filesystem, network, shell, unsafe	+122	10.2 MB	sindresorhus
npm/grunt-jscs@3.0.0	Transitive: environment, eval, filesystem, network, shell, unsafe	+71	9.43 MB	markelog
npm/grunt-replace@2.0.2	Transitive: environment, eval, filesystem, shell, unsafe	+8	1.08 MB	outatime
npm/grunt@1.6.1	Transitive: environment, eval, filesystem, shell	+81	3.4 MB	vladikoff
npm/load-grunt-config@0.18.0	filesystem Transitive: environment, eval, shell, unsafe	+42	3.01 MB	solomon

🚮 Removed packages: npm/grunt-contrib-imagemin@0.9.4, npm/grunt-contrib-jasmine@0.9.2, npm/grunt-contrib-less@0.12.0, npm/grunt-contrib-watch@0.6.1, npm/grunt-eslint@17.3.1, npm/grunt-jscs@2.2.0, npm/grunt-replace@0.9.3, npm/load-grunt-config@0.16.0

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/core-js@2.6.12	Install script: postinstall Source: node -e "try{require('./postinstall')}catch(e){}"	package.json
Install scripts	npm/puppeteer@1.20.0	Install script: install Source: node install.js	package.json

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/core-js@2.6.12
• @SocketSecurity ignore npm/puppeteer@1.20.0