[Snyk] Fix for 40 vulnerabilities

[aliscco]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • test/fixtures/hbs-demo/node_modules/handlebars/package.json
  • test/fixtures/hbs-demo/node_modules/handlebars/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-AWSSDK-1059424	Yes	Proof of Concept
	751/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-DUSTJSLINKEDIN-1089257	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-GETOBJECT-1054932	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Directory Traversal SNYK-JS-GRUNT-2635969	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Race Condition SNYK-JS-GRUNT-2813632	Yes	Proof of Concept
	569/1000 Why? Has a fix available, CVSS 7.1	Arbitrary Code Execution SNYK-JS-GRUNT-597546	Yes	No Known Exploit
	626/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.1	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	Yes	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection SNYK-JS-OPEN-174041	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Prototype Pollution SNYK-JS-XML2JS-5414874	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:connect:20130701	No	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Non-Constant Time String Comparison npm:cookie-signature:20160804	No	No Known Exploit
	644/1000 Why? Has a fix available, CVSS 8.6	Code Injection npm:dustjs-linkedin:20160819	No	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
	796/1000 Why? Mature exploit, Has a fix available, CVSS 8.2	Uninitialized Memory Exposure npm:https-proxy-agent:20180402	Yes	Mature
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Content Injection due to quoteless attributes npm:mustache:20151207	Yes	No Known Exploit
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	Arbitrary Command Injection npm:open:20180512	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:qs:20140806	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) npm:qs:20140806-1	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt-contrib-jshint

The new version differs by 57 commits.

• 1910674 3.1.0
• b7edf02 update jshint to ~2.13.0
• 270d8dd Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 5.2.7.1 #303 from gruntjs/dependabot/npm_and_yarn/path-parse-1.0.7
• 77dca66 Bump path-parse from 1.0.6 to 1.0.7
• 1028d82 Merge pull request [Snyk] Security upgrade ejs from 1.0.0 to 3.1.7 #301 from gruntjs/dependabot/npm_and_yarn/hosted-git-info-2.8.9
• eb0314f Bump hosted-git-info from 2.8.8 to 2.8.9
• 337623c Merge pull request [Snyk] Security upgrade Newtonsoft.Json from 10.0.3 to 13.0.1 #300 from gruntjs/dependabot/npm_and_yarn/lodash-4.17.21
• 51e07d4 Bump lodash from 4.17.20 to 4.17.21
• 9c08ff1 Merge pull request [Snyk] Security upgrade Newtonsoft.Json from 10.0.3 to 13.0.1 #299 from gruntjs/dependabot/npm_and_yarn/y18n-4.0.1
• 7834701 Bump y18n from 4.0.0 to 4.0.1
• d4359aa Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.11.0a7-slim #298 from gruntjs/dependabot/npm_and_yarn/ini-1.3.8
• 52f5e31 Bump ini from 1.3.5 to 1.3.8
• 8f597c2 Add changelog
• fc210e7 Merge pull request [Snyk] Security upgrade sanitize from 4.6.2 to 5.2.1 #275 from raddevon/patch-1
• 03f4302 Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.8-slim #297 from gruntjs/peer-dep
• 01d13d2 Remove Grunt peerDependency
• c78f6ee Merge pull request [Snyk] Security upgrade snyk from 1.101.1 to 1.230.7 #296 from gruntjs/chalk-upt
• 656f31b Update chalk
• 16ee83d Merge pull request [Snyk] Security upgrade bl from 1.1.2 to 1.2.3 #295 from gruntjs/uptdate-deps-oct
• df2b06d Update dependencies, switch to github actions
• 9bb54cd Merge pull request [Snyk] Security upgrade snyk-config from 1.0.1 to 4.0.0 #291 from gruntjs/dependabot/npm_and_yarn/lodash-4.17.15
• d2e4063 Bump lodash from 4.17.10 to 4.17.15
• cfd9ade Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 #290 from gruntjs/ver
• 12045c1 v2.1.0

See the full diff

Package name: grunt-saucelabs

The new version differs by 17 commits.

• 127cac2 9.0.1
• a1168fb Merge pull request [Snyk] Security upgrade django from 1.6.1 to 1.8.16 #231 from digitalfrost/patch-1
• 6bc91b4 Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.10-slim #232 from digitalfrost/patch-2
• 5d8c4a6 fix no license warning
• d5ee483 updated saucelabs and lodash versions to fix security vulnerabilities
• aa53f32 Merge pull request [Snyk] Security upgrade python from 3.6-slim to 3.7-slim #227 from EsrefDurna/master
• c09fd99 updated package merge from 1.1.3 to 1.2.0
• 09bbcef Merge pull request [Snyk] Security upgrade snyk from 1.101.1 to 1.230.7 #226 from bryant1410/master
• 4caa37d Fix broken Markdown headings
• bfbb218 v9.0.0
• 8733a26 fix formatting
• dde2a07 Revert "update grunt dependencies"
• daee378 update grunt dependencies
• 7f2718c remove testing and docs on YUI Test support
• 2e059b0 update Sauce Connect to version 4.3.16
• 0dffbca update some dependencies
• 4018e76 attempt to solve race condition for yui test

See the full diff

Package name: istanbul

The new version differs by 72 commits.

• 89e338f 0.4.5
• 7efe4dc update changelog, contributors
• da79378 Merge pull request [Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 #673 from popomore/swap-fileset-for-glob
• 58f4c90 swap fileset for glob
• fef889b Merge pull request [Snyk] Security upgrade qs from 0.6.6 to 6.0.4 #657 from djorg83/master
• 91bb666 log filename when file fails to parse using esprima
• 5dbd62c 0.4.4
• 5642fb4 Update changelog, contributors
• f4195bb Merge pull request [Snyk] Fix for 13 vulnerabilities #507 from Victorystick/es-modules-support
• c521035 Merge pull request [Snyk] Security upgrade jinja2 from 2.7.2 to 2.11.3 #628 from inversion/use-tmp-dir
• 66fffdc Merge pull request [Snyk] Security upgrade npm from 2.15.12 to 7.21.0 #597 from JamesMGreene/patch-1
• dfcab10 Merge pull request [Snyk] Security upgrade django from 1.6.1 to 1.8.16 #627 from a0viedo/patch-1
• abec3ae Merge pull request [Snyk] Security upgrade @google-cloud/profiler from 2.0.2 to 4.1.3 #625 from ChALkeR/tmpdir
• a9aaf53 tmp dir setting was being ignored in TmpStore
• 522f465 link build badge to master branch
• 0b5e80d use os.tmpdir() instead of os.tmpDir()
• 5069661 Set "medium" coverage CSS color scheme to yellow
• 0e8c350 Merge pull request [Snyk] Fix for 10 vulnerabilities #587 from clickthisnick/chore-remove-trailing-spaces
• fc3ba35 0.4.3
• b3de106 Update changelog, contributors
• bb5b6e1 Merge pull request [Snyk] Fix for 4 vulnerabilities #579 from jtangelder/fix-colors
• 0411600 return plain string when an invalid clazz is given
• a556a5e Merge pull request [Snyk] Fix for 10 vulnerabilities #552 from abejfehr/patch-1
• 369ed49 Merge pull request [Snyk] Security upgrade rack-protection from 1.5.3 to 1.5.3 #545 from pra85/patch-1

See the full diff

Package name: mocha

The new version differs by 250 commits.

• 5f96d51 build(v10.1.0): release
• ed74f16 build(v10.1.0): update CHANGELOG
• 51d4746 chore(devDeps): update 'ESLint' to v8 (fix: bump nodejs-parser to 1.52.4 attempt 2 snyk/cli#4926)
• 4e06a6f fix(browser): increase contrast for replay buttons (Synchronizing CLI help from user-docs snyk/cli#4912)
• 41567df Support prefers-color-scheme: dark (chore: apply refactorings from a previous PR snyk/cli#4896)
• 61b4b92 fix the regular expression for function `clean` in `utils.js` (feat: build windows and linux binaries with fips enabled Microsoft Go Fork snyk/cli#4770)
• 77c18d2 chore: use standard 'Promise.allSettled' instead of polyfill (fix: update snyk-iac-capture now allowing to upload valid empty states snyk/cli#4905)
• 84b2f84 chore(ci): upgrade GH actions to latest versions (chore: remove smoke-tests.yml from github actions snyk/cli#4899)
• 023f548 build(v10.0.0): release
• 62b1566 build(v10.0.0): update CHANGELOG
• fbe7a24 chore: update dependencies (Synchronizing CLI help from user-docs snyk/cli#4878)
• 2b98521 docs: replace 'git.io' short links (feat: add options for snyk sbom snyk/cli#4877) [ci skip]
• 007fa65 chore(ci): add Node v18 to test matrix (Synchronizing CLI help from user-docs snyk/cli#4876)
• f6695f0 chore(esm): remove code for Node v12 (chore: asset classification snyk/cli#4874)
• 59f6192 chore(ci): conditionally skip 'push' event (feat: renew windows code signing certificate snyk/cli#4872)
• b863359 docs: fix 'fgrep' url (chore: update Go version to 1.21.1 snyk/cli#4873)
• baaa41a chore(ci): ignore changes to docs files (Feat: improved oauth support snyk/cli#4871)
• ac81cc5 refactor!: drop support of 'growl' notification (chore: set Node compatibility version to >=16 snyk/cli#4866)
• 3946453 chore(deps)!: upgrade 'minimatch' (fix: fix wrong project name change snyk/cli#4865)
• 592905b refactor!: rename 'bin/mocha' to 'bin/mocha.js' (chore: remove unnecessary install snyk/cli#4863)
• b7b849b refactor!: remove deprecated Runner signature (chore: Make license script used in build more portable snyk/cli#4861)
• 0608fa3 chore(site): fix supporters' download (fix: updated snyk-python-plugin package version snyk/cli#4859)
• 785aeb1 chore(test): drop AMD/'requirejs' (feat: use gw routing for code snyk/cli#4857)
• ed640c4 chore(devDeps): upgrade 'coffee-script' (feat: updated integrated iac naming snyk/cli#4856)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Code Injection
🦉 Directory Traversal
🦉 More lessons are available in Snyk Learn