[Snyk] Fix for 10 vulnerabilities

[admmasters]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTMLMINIFIER-3091181	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: babel-eslint

The new version differs by 103 commits.

• a0fbd50 8.0.2
• 2004b91 require correct deps
• fa56d21 Always use unpad (Resolve babel-runtime relative to the config facebook/create-react-app#535)
• 295091d Allow ^ version for babel dependencies (Disable react-constant-elements because of bugs facebook/create-react-app#534)
• d3b8519 fix(package): update babylon to version 7.0.0-beta.31 (Enable watch implicitly unless on CI facebook/create-react-app#533)
• 54ab4ac 8.0.1
• c1a7882 Update README.md support (Add docs for using Promises and making AJAX requests facebook/create-react-app#531) [skip ci]
• 51100c9 chore(package): update mocha to version 4.0.0 (Add a more prominent link to the guide facebook/create-react-app#524)
• 5742b71 Adding optionalCatchBinding to plugins. (Document polyfills facebook/create-react-app#521)
• 905887c 8.0.0
• 49493e4 update to beta.0
• 42d0c5b Remove already fixed workaround (permission denied react-scripts when running in docker facebook/create-react-app#508)
• 25bd208 8.0.0-alpha.17
• 1468905 alpha.17
• 57c133e 8.0.0-alpha.15
• 1e41162 update (Allow importing static files outside src and node_modules folders facebook/create-react-app#504)
• c31b577 Readme update usage section (Change GitHub hosting instructions facebook/create-react-app#501) [skip ci]
• c2626f9 Update eslint to the latest version 🚀 (Error 'ReferenceError: "window" is not defined' in browserless environment facebook/create-react-app#500)
• 3c6b2de chore(package): update husky to version 0.14.0 (Turn some of the linter messages into errors facebook/create-react-app#498)
• e052d5a Update install instructions to use latest stable release (Allow importing assets from parent folder facebook/create-react-app#497) [skip ci]
• 8e3e088 8.0.0-alpha.13
• f757e22 Merge pull request Error handling routes containing .  facebook/create-react-app#493 from danez/regression-test
• 5736be6 Update babylon
• 37f9242 Add Prettier (Fix default package version added by global CLI facebook/create-react-app#491)

See the full diff

Package name: css-loader

The new version differs by 136 commits.

• 43179a8 chore(release): 1.0.0
• 3d53968 Merge remote-tracking branch 'origin/master'
• 240db53 version 1.0 (no-var eslint rule facebook/create-react-app#742)
• 1b7acf7 Merge remote-tracking branch 'origin/master'
• 1703721 docs(README): add more context to `localIdentName` (openBrowser() causes docker-compose set ups to fail because of spawn EACCESS  facebook/create-react-app#711)
• 1c51265 docs(README): fix malformed emoji (Extract Babel configuration to babel-preset-react-app facebook/create-react-app#701)
• 50f8ec0 Merge remote-tracking branch 'origin/master'
• 07444ad tests: css custom variables (Proxy not working facebook/create-react-app#709)
• 3de8aa7 tests: css custom variables (Proxy not working facebook/create-react-app#709)
• df497db chore(release): 0.28.11
• c788450 fix(lib/processCss): don't check `mode` for `url` handling (`options.modules`) (Fix end-to-end test to use packages from master facebook/create-react-app#698)
• c35d8bd chore(release): 0.28.10
• 9f876d2 fix(getLocalIdent): add `rootContext` support (`webpack >= v4.0.0`) (Add test for special scripts versions facebook/create-react-app#681)
• 0452f26 test: hashes inside `@ font-face` url (Add monorepo configuration with Lerna facebook/create-react-app#678)
• 630579d chore(release): 0.28.9
• 604bd4b chore(package): update dependencies
• d1d8221 fix: ignore invalid URLs (`url()`) (Corrected a typo in the comments of start.js facebook/create-react-app#663)
• 0fc46c7 chore(release): 0.28.8
• 333a2ce chore(package): update `dependencies`
• 39773aa ci(travis): use `npm`
• 8897d44 fix: proper URL escaping and wrapping (`url()`) (WIP: Add a default .npmrc file. facebook/create-react-app#627)
• 0dccfa9 fix(loader): correctly check if source map is `undefined` (Add "Adding Router" recipe facebook/create-react-app#641)
• d999f4a docs: Update importLoaders documentation (Readme: add Travis-CI badge so people can easily see there is tests facebook/create-react-app#646)
• 05c36db test: removed redundant `modules` argument (Deploying in Heroku facebook/create-react-app#599)

See the full diff

Package name: eslint

The new version differs by 250 commits.

• ff8c4bb 4.5.0
• 480bbee Build: changelog update for 4.5.0
• decdd2c Update: allow arbitrary nodes to be ignored in `indent` (fixes Array Methods Not Transpiling Correctly for Mobile Browsers (e.g. Safari, Chrome) facebook/create-react-app#8594) (React 실행 오류 facebook/create-react-app#9105)
• 79062f3 Update: fix indentation of multiline `new.target` expressions (Add performance relayer + documentation (web-vitals) facebook/create-react-app#9116)
• d00e24f Upgrade: `chalk` to 2.x release (Security Issue: npm audit error. Root dependencies for serialize-javascript Severity: High facebook/create-react-app#9115)
• 6ef734a Docs: add missing word in processor documentation (Thanks for the productivity!! facebook/create-react-app#9106)
• a4f53ba Fix: Include files with no messages in junit results (NPM ERR! facebook/create-react-app#9093) (Extract jest-preset-react facebook/create-react-app#9094)
• 1d6a9c0 Chore: enable eslint-plugin/test-case-shorthand-strings (React-Scripts Jest v24.9 vs. Jest current v26.0.1 facebook/create-react-app#9067)
• f8add8f Fix: don't autofix with linter.verifyAndFix when `fix: false` is used (Module not found: Can't resolve './node_modules/react' facebook/create-react-app#9098)
• 77bcee4 Docs: update instructions for adding TSC members (K facebook/create-react-app#9086)
• bd09cd5 Update: avoid requiring NaN spaces of indentation (fixes wrong eslint rules when extending from plugins (because 'react-scripts start' uses own, outdated version of plugin) facebook/create-react-app#9083) (eslint-loader should not cache, when process.env.EXTEND_ESLINT === 'true' facebook/create-react-app#9085)
• c93a853 Chore: Remove extra space in blogpost template (Q facebook/create-react-app#9088)
• 0d9da6d 4.4.1
• 1ea9a6c Build: changelog update for 4.4.1
• ec93614 Fix: no-multi-spaces to avoid reporting consecutive tabs (fixes Read xml files and other data facebook/create-react-app#9079) (Go facebook/create-react-app#9087)
• a113cd3 4.4.0
• 181bd46 Build: changelog update for 4.4.0
• 89196fd Upgrade: Espree to 3.5.0 (express.static overrides the route handler facebook/create-react-app#9074)
• b3e4598 Fix: clarify AST and don't use `node.start`/`node.end` (fixes "npm start" stops immediately when run as background job facebook/create-react-app#8956) (Production CSS is not minified/obfuscated facebook/create-react-app#8984)
• 62911e4 Update: Add ImportDeclaration option to indent rule (Upgrade to Jest 26 facebook/create-react-app#8955)
• de75f9b Chore: enable object-curly-newline & object-property-newline.(fixes Update deployment docs for Azure Static Web Apps facebook/create-react-app#9042) (Babel loose setting facebook/create-react-app#9068)
• 5ae8458 Docs: fix typo in object-shorthand.md (production build, JSX code missing when returned in parentheses with leading comment facebook/create-react-app#9066)
• c3d5b39 Docs: clarify options descriptions (fixes Stable ES features are not always polyfilled when needed facebook/create-react-app#8875) (Add fable-fsharp support to create react app facebook/create-react-app#9060)
• 37158c5 Docs: clarified behavior of globalReturn option (fixes Compilation error when hook called specifically after a for - of loop that contains an if - else statement facebook/create-react-app#8953) (Unable to embed a React app as a widget with JavaScript facebook/create-react-app#9058)

See the full diff

Package name: html-webpack-plugin

The new version differs by 250 commits.

• eb73905 chore(release): 4.0.0
• 42a6d4a Add typing for getHooks
• a1a37cf Release html-webpack-plugin 4.0.0-beta.14
• 97f9fb9 fix: load script files before style files files in defer script loading mode
• e97ce17 Release html-webpack-plugin 4.0.0-beta.13
• e448b5d Release html-webpack-plugin 4.0.0-beta.12
• de315eb feat: Add defer script loading
• 7df269f feat: Provide a verbose error message if html minification failed
• 1d66e53 feat: merge templateParameters with default template parameters
• dfb98e7 Fix typo in template option docts
• 096a760 Fix broken links in examples
• a195c34 docs: Update template-option documentation
• 40b410e docs: Update example for template parameters
• bf017f3 chore: Release 4.0.0-beta.11
• 2549557 test: Don't use minification for speed measurement
• de22fc2 test: Adjust measurment for node 6 on travis
• 24bf1b5 fix: Update references to html-minifier
• f4eafdc chore: Release 4.0.0-beta.10
• a2ad30a refactor: Use getAssetPath instead of calling the hook directly
• 2595a79 chore: Release 4.0.0-beta.9
• c66766c feat: Add support for minifying inline ES6 inside html templates
• 655cbcd Fix README typo
• 6de319b update lodash dependency for prototype polution vulnerability
• 35a1541 Properly encode file names emitted as part of URLs.

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 4be093d 2.2.0
• 2278469 2.2.0-rc.8
• b946eb4 Merge pull request Using this breaks fs facebook/create-react-app#3988 from malstoun/bug/2664
• 260e413 Merge pull request Why the assets must be absolute path? facebook/create-react-app#3986 from webpack/bugfix/revert_use_of_buffer_dot_from
• 0ec7de9 Fix regression with watch cli opt, add tests for this case
• 72226db add missing disable line
• 4d30675 build fresh yarn.lock file to remove buffer polyfill
• 91c1f35 fix(node): rollback changes of Buffer.from to new Buffer() and bump down travis to 4.3 min node v
• 0b47602 2.2.0-rc.7
• db6ccbc Merge pull request flex attribute compile error facebook/create-react-app#3978 from webpack/bugfix/conditional-reexports
• 82a5b03 Merge pull request Build fails when packages set under devDependencies facebook/create-react-app#3977 from malstoun/bug/2664
• fc1a43b Merge pull request Flask, Build, and accessing the Static directories facebook/create-react-app#3976 from timse/rely-on-defaults
• a44694a hoist exports declarations too
• 682bde8 Fix lint
• c6d7d90 Add tests
• af8d49e remove defaults values to shave a few bytes
• 9796696 2.2.0-rc.6
• e9bdb05 Merge pull request Update instructions for continuous delivery with Netlify facebook/create-react-app#3971 from webpack/bugfix/fix_available_vars_in_fmtp
• bd45bdc add test case for global in harmony modules
• bfccb20 fix PR
• 5a3a23f fix(nmf): Fix exports for var injection to include free glob exports or arguments
• 437dce4 2.2.0-rc.5
• 91cb1df Merge pull request Detail docs about building for relative path facebook/create-react-app#3970 from webpack/ci/appveyor
• 9fd55e5 Merge pull request Hot reloading does not work in docker facebook/create-react-app#3969 from webpack/bugfix/issue-3964

See the full diff

Package name: webpack-dev-server

The new version differs by 243 commits.

• 7e18f6a 2.2.0
• e9dd0ed Upgrade webpack dependency
• cae704f Update README to new standard
• d560695 Fix broken test after webpack update
• 84a98ad update webpack dev dependency
• a947336 Refactor to ES6
• fb74672 Bring eslint config in line with webpack/webpack
• 2f9ac82 Make Travis run Node.js v4 and v6
• bbcca86 Require Node.js v4.7 or higher
• fcf5f3c (fix) proxy config with bypass and without target (Use bundled local packages in the end-to-end flow facebook/create-react-app#721)
• 00bdcd5 2.2.0-rc.0
• cffd387 update webpack-dev-middleware dep
• 1adb818 Allow webpack 2 rc
• 658280d Update License to match with webpack/webpack
• 1f60309 2.1.0-beta.12
• 7eb7a92 Add warning for issues with Node.js v7
• 8a4b070 Fix colors in CLI not working when using stats as a string
• b072535 Simplify issue template
• 5efc245 Bring back reloading the app after compiler warnings
• 2a74a08 Fix tests after the schema change
• 4131be5 Disallow usage of `true` in `contentBase` option
• 10db4a7 Allow `none` as value for the `clientLogLevel` option
• a874303 2.1.0-beta.11
• 7cb0490 Fix `--open` flag opening wrong URL when using lazy mode

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Improper Input Validation

[changeset-bot]

⚠️ No Changeset found

Latest commit: cfc26ca

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR