[Snyk] Fix for 46 vulnerabilities

[aliscco]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • test/fixtures/qs-package/node_modules/request/package.json
  • test/fixtures/qs-package/node_modules/request/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	No	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-173692	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-469063	No	No Known Exploit
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	No	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-HANDLEBARS-534988	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-HANDLEBARS-567742	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-HTTPPROXY-569139	No	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	No	No Known Exploit
	591/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) SNYK-JS-KARMA-2395349	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-KARMA-2396325	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	489/1000 Why? Has a fix available, CVSS 5.5	Information Exposure SNYK-JS-LOG4JS-2348757	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	641/1000 Why? Mature exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:concat-stream:20160901	No	Mature
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Cross-site Scripting (XSS) npm:handlebars:20151207	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	Command Injection npm:shell-quote:20160621	Yes	Proof of Concept
	629/1000 Why? Has a fix available, CVSS 8.3	Improper minification of non-boolean comparisons npm:uglify-js:20150824	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browserify

The new version differs by 250 commits.

• e19f256 12.0.0
• c881c07 update devdeps
• c77bf33 update glob and shell-quote
• c35f73e update builtins deps
• da949a1 update deps for streams3
• e3fbe7d update module-deps & fix symlink bug (also uses streams3)
• df43933 remove unused deps
• dca78a6 update browser-pack & fix charset bug (also uses streams3)
• 46aba9f use latest node in travis
• 76b60a9 remove node 0.8 from travis
• f5a82d8 Merge pull request [Snyk] Security upgrade django from 2.0.1 to 3.2.20 #1362 from mnichols/master
• 185be39 Merge pull request [Snyk] Security upgrade rack from 1.6.5 to 2.0.9.1 #1393 from emilbayes/patch-1
• d48ec61 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 3.2.21 #1396 from stevemao/patch-3
• d847221 travis: test on node4 not "4.0.0"
• a212016 Links to the wrong querystring module
• b7cf5be 11.2.0
• bb2a99d Merge pull request [Snyk] Security upgrade django from 2.0.1 to 3.2.20 #1361 from substack/fix-bare
• e781d9d Merge pull request [Snyk] Security upgrade aiohttp from 2.2.2 to 3.8.5 #1377 from demohi/patch-2
• 05d7861 update package.json version
• 85e4b9d 11.1.0
• c1c6b72 browserify adds the '.' in case you forget it
• 97a122e Update travis Node.js version & remove io.js
• 1b73d9b bump buffer to 3.4.3 to fix maximum call stack exceeded errors
• cf32d77 Exclude "process" and "buffer" when "bundleExternal === false"

See the full diff

Package name: browserify-istanbul

The new version differs by 19 commits.

• 50af37b Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5.2 #35 from alexindigo/v2.0.0
• ca38f1a What does mocha say to windows? Not today!
• e286705 Housecleaning
• eda1a8d Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5.1 #34 from zaygraveyard/issue33
• c7dbde8 Fix: Only `require()` `istanbul` when `options.instrumenter` is not set. (fixes [Snyk] Security upgrade npm from 2.15.12 to 6.13.3 #33)
• bfafcbc 1.0.0
• ab27c00 Merge pull request [Snyk] Security upgrade nodemailer from 0.7.1 to 6.6.1 #31 from zaygraveyard/issue30
• d4bb901 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 1.8.16 #27 from alexindigo/master
• 830f12a Add support for passing options to `minimatch` using `minimatchOptions` option. (fixes [Snyk] Security upgrade django from 1.6.1 to 1.8.16 #30)
• 6aabdde Made it installed istanbul friendly.
• b1c19aa Merge pull request [Snyk] Security upgrade handlebars from 2.0.0 to 3.0.8 #19 from peter-mouland/feature/bower_components-readme
• 9b3afeb add `'**/bower_components/**',` to readme after update
• e513172 0.2.1
• 3864df1 Merge pull request [Snyk] Security upgrade npmconf from 0.0.24 to 2.1.3 #18 from peter-mouland/feature/bower_components
• ce20c8b add `bower_components` to the list of `defaultIgnore` directories
• a2e9f90 0.2.0
• 60bafe7 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 #15 from bendrucker/deps
• 0ea7c2e Update minimatch + test dependencies
• 639c84d Update istanbul to 0.3

See the full diff

Package name: coveralls

The new version differs by 10 commits.

• 5ebe57f bump version
• 428780c Expand allowed dependency versions to all API compatible versions ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.11.3 #172)
• eb1b723 Update Mocha link ([Snyk] Security upgrade sanitize from 4.6.2 to 5.2.1 #169)
• b9032a1 better Jenkins detection
• 2821200 version bump
• ef7e811 Parse commit from packed refs if not available in refs dir. ([Snyk] Security upgrade django from 1.6.1 to 2.2.26 #163)
• e476964 Merge pull request [Snyk] Security upgrade django from 2.0.1 to 2.2.26 #162 from evanjbowling/patch-1
• 63a7f92 Update README.md
• d571dac merge, version bump
• 1575050 branching WIP

See the full diff

Package name: eslint

The new version differs by 250 commits.

• 4a115f5 1.9.0
• 337046c Merge pull request [Snyk] Fix for 1 vulnerabilities snyk/cli#4351 from eslint/pr4084
• 28ac028 Update: Make radix accept a "as-needed" option (fixes [Snyk-dev] Security upgrade strip-ansi from 3.0.1 to 4.0.0 snyk/cli#4048)
• e7ea88e Merge pull request chore: make win signing more consistent snyk/cli#4323 from eslint/issue4302
• 7af5f56 Merge pull request [Snyk] Fix for 1 vulnerabilities snyk/cli#4343 from briandela/issue4342
• 8b7c3a6 Fix: Update the message to include number of lines (fixes [Snyk] Fix for 4 vulnerabilities snyk/cli#4342)
• 9bffbfd Merge pull request [Snyk] Fix for 1 vulnerabilities snyk/cli#4338 from dtinth/docs-semi
• 163d5a3 Docs: ASI causes problem whether semicolons are used or not
• 8d8ad2d Merge pull request [Snyk] Security upgrade debug from 2.2.0 to 3.1.0 snyk/cli#4307 from mysticatea/core/npm3
• 37efece Merge pull request [Snyk-dev] Fix for 1 vulnerabilities snyk/cli#4330 from eslint/issue4297
• dd1ca05 Merge pull request [Snyk] Fix for 1 vulnerabilities snyk/cli#4329 from eslint/issue4321
• 6a76198 Fix: Fixer to not overlap ranges among fix objects (fixes [Snyk] Security upgrade python from 3.6-slim to 3.12.0a4-slim snyk/cli#4321)
• 99ad1ca Update: Add default to `max-nested-callbacks` (fixes [Snyk] Security upgrade debug from 2.2.0 to 3.1.0 snyk/cli#4297)
• 2c9d58b Fix: Check comments in space-in-parens (fixes [Snyk] Security upgrade debug from 2.6.9 to 3.1.0 snyk/cli#4302)
• f8c1780 Merge pull request [Snyk] Fix for 1 vulnerabilities snyk/cli#4289 from arv/no-case-declarations
• e4fed60 Merge pull request Cleanup Windows Signing [HEAD-33] snyk/cli#4325 from eslint/issue4324
• 9e402da Merge pull request fix: return artifactId & sha1 combination when package search fails snyk/cli#4326 from eslint/issue4313
• f844640 Update: Add quotes to error messages to improve clarity (fixes chore: change codeowners of help files snyk/cli#4313)
• 8e6a5f3 Fix: tests failing due to differences in temporary paths (fixes fix: exclude .build folder snyk/cli#4324)
• 8bfb581 Merge pull request fix: container python dist-packages support snyk/cli#4312 from eslint/issue4256
• c079aa8 Merge pull request chore: update gpg section in readme snyk/cli#4316 from eslint/issue4315
• 770761f Fix: Make tests compatible with Windows (fixes chore: Add new GPG key to README snyk/cli#4315)
• d6a9e52 Merge pull request [Snyk] Security upgrade micromatch from 3.1.10 to 4.0.0 snyk/cli#4306 from eslint/issue4305
• 1a7ae98 Update: Extract glob and filesystem logic from cli-engine (fixes [Snyk] Security upgrade tap from 11.1.3 to 14.6.8 snyk/cli#4305)

See the full diff

Package name: istanbul

The new version differs by 72 commits.

• 89e338f 0.4.5
• 7efe4dc update changelog, contributors
• da79378 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 #673 from popomore/swap-fileset-for-glob
• 58f4c90 swap fileset for glob
• fef889b Merge pull request [Snyk] Security upgrade qs from 0.6.6 to 6.0.4 #657 from djorg83/master
• 91bb666 log filename when file fails to parse using esprima
• 5dbd62c 0.4.4
• 5642fb4 Update changelog, contributors
• f4195bb Merge pull request [Snyk] Fix for 13 vulnerabilities #507 from Victorystick/es-modules-support
• c521035 Merge pull request [Snyk] Security upgrade jinja2 from 2.7.2 to 2.11.3 #628 from inversion/use-tmp-dir
• 66fffdc Merge pull request [Snyk] Security upgrade npm from 2.15.12 to 7.21.0 #597 from JamesMGreene/patch-1
• dfcab10 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 1.8.16 #627 from a0viedo/patch-1
• abec3ae Merge pull request [Snyk] Security upgrade @google-cloud/profiler from 2.0.2 to 4.1.3 #625 from ChALkeR/tmpdir
• a9aaf53 tmp dir setting was being ignored in TmpStore
• 522f465 link build badge to master branch
• 0b5e80d use os.tmpdir() instead of os.tmpDir()
• 5069661 Set "medium" coverage CSS color scheme to yellow
• 0e8c350 Merge pull request [Snyk] Fix for 10 vulnerabilities #587 from clickthisnick/chore-remove-trailing-spaces
• fc3ba35 0.4.3
• b3de106 Update changelog, contributors
• bb5b6e1 Merge pull request [Snyk] Fix for 4 vulnerabilities #579 from jtangelder/fix-colors
• 0411600 return plain string when an invalid clazz is given
• a556a5e Merge pull request [Snyk] Fix for 10 vulnerabilities #552 from abejfehr/patch-1
• 369ed49 Merge pull request [Snyk] Security upgrade rack-protection from 1.5.3 to 1.5.3 #545 from pra85/patch-1

See the full diff

Package name: karma

The new version differs by 250 commits.

• ab4b328 chore(release): 6.3.16 [skip ci]
• ff7edbb fix(security): mitigate the "Open Redirect Vulnerability"
• c1befa0 chore(release): 6.3.15 [skip ci]
• d9dade2 fix(helper): make mkdirIfNotExists helper resilient to concurrent calls
• 653c762 ci: prevent duplicate CI tasks on creating a PR
• c97e562 chore(release): 6.3.14 [skip ci]
• 91d5acd fix: remove string template from client code
• 69cfc76 fix: warn when `singleRun` and `autoWatch` are `false`
• 839578c fix(security): remove XSS vulnerability in `returnUrl` query param
• db53785 chore(release): 6.3.13 [skip ci]
• 5bf2df3 fix(deps): bump log4js to resolve security issue
• 36ad678 chore(release): 6.3.12 [skip ci]
• 41bed33 fix: remove depreciation warning from log4js
• c985155 docs: create security.md
• c96f0c5 chore(release): 6.3.11 [skip ci]
• a5219c5 fix(deps): pin colors package to 1.4.0 due to security vulnerability
• de0df2f test: fix version regex in the CLI test case
• eddb2e8 chore(release): 6.3.10 [skip ci]
• 0d24bd9 fix(logger): create parent folders if they are missing
• b8eafe9 chore(release): 6.3.9 [skip ci]
• cf318e5 test: add test case for restarting test run on file change
• 92ffe60 fix: restartOnFileChange option not restarting the test run
• b153355 style: fix grammar error in browser capture log message
• 8f798d5 chore(release): 6.3.8 [skip ci]

See the full diff

Package name: karma-browserify

The new version differs by 85 commits.

• 1f03ab2 5.3.0
• 3d1ae96 chore(package): bump dev dependencies
• 1796716 chore(project): bump lodash dependency
• adce20f 5.2.0
• 2a60185 chore(project): support browserify @ 16
• cba9ba9 chore(lint): ignore example/node_modules
• 72af250 chore(example): bump browserify + watchify versions
• 573db5b 5.1.3
• ff944e7 chore(package): allow browserify@15
• 6e0fcce 5.1.2
• 88673c4 chore(npmignore): ignore dev configuration(s)
• 0fed147 chore(project): remove grunt + jshint
• 08141de chore(ci): test against node {4,6,8}
• 21bd468 chore(project): bump dev dependencies
• e42a5be chore(project): release v5.1.1
• dba0a80 chore(package): allow browserify@14
• a87c211 chore(project): release v5.1.0
• dc49a26 feat(bro): respect externalRequireName
• b963ae9 chore(project): add all task
• e1f85e0 test(bro): verify TypeScript compile error behavior
• 866680d chore(project): release v5.0.5
• b613c00 fix(project): add missing comma to pkg
• ae3d09f chore(project): remove node 0.10 / npm 1 support via pkg.engines / travis
• 1ea06cb chore(project): use broader semver ranges for peer deps

See the full diff

Package name: tape

The new version differs by 47 commits.

• 99f32f5 4.0.0
• cf56a13 Drop 0.8 support
• a6bdf9c Expand reporters section into "things that go well with tape"
• d6acc1e Update dependencies
• 91cb127 3.6.0
• 363b63f Merge pull request [Snyk] Security upgrade istanbul-reports from 1.5.1 to 3.1.3 #149 from substack/if-error-assert
• 4b1e452 Remove this extra test I mistakenly committed
• 04bb03e Add documentation of test.comment
• 7329ddc fix test
• 4205104 only ifError if we have an err value
• 8835f51 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5.2 #139 from nowells/patch-1
• 78c2dd7 Merge pull request [Snyk] Security upgrade tap from 11.1.3 to 15.0.0 #146 from ifraixedes/patch-1
• bafca7b Fixed typo in README
• 65ef27e 3.5.1
• 36a1891 Merge pull request [Snyk] Security upgrade tap from 11.1.3 to 15.0.0 #145 from wilmoore/guard-on-uncaught
• 47f507f add caught guard to avoid referencing undefined property
• 51f2f97 3.5.0
• 25cd3de Merge pull request [Snyk] Security upgrade celery from 4.3.0 to 5.2.2 #138 from substack/non-zero
• 6ff57c2 Merge pull request [Snyk] Security upgrade tap from 11.1.3 to 15.0.0 #142 from TehShrike/patch-1
• 89f79a8 Fixing backwards t.end explanation
• 53e3cc3 Merge pull request [Snyk] Security upgrade istanbul-reports from 1.5.1 to 3.1.3 #141 from AWinterman/endArg
• 35fd42b adds note on t.end(arg) behavior
• b65d28c Added tap-difflet to README
• e3f9d01 Detect `inErrorState` with code not equal to zero

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:ws:20160920	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Remote Code Execution (RCE)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn