[Snyk] Fix for 26 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • test/fixtures/qs-package/node_modules/inquirer/package.json
  • test/fixtures/qs-package/node_modules/inquirer/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	626/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.1	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	796/1000 Why? Mature exploit, Has a fix available, CVSS 8.2	Uninitialized Memory Exposure npm:https-proxy-agent:20180402	Yes	Mature
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: eslint

The new version differs by 250 commits.

• c4fffbc 8.0.0
• d51f4cf Build: changelog update for 8.0.0
• 7d3f7f0 Upgrade: unfrozen @ eslint/eslintrc (fixes #15036) (#15146)
• 2174a6f Fix: require-atomic-updates property assignment message (fixes #15076) (#15109)
• f885fe0 Docs: add note and example for extending the range of fix (refs #13706) (#13748)
• 3da1509 Docs: Add jsdoc `type` annotation to sample rule (#15085)
• 68a49a9 Docs: Update Rollup Integrations (#15142)
• d867f81 Docs: Remove a dot from curly link (#15128)
• 9f8b919 Sponsors: Sync README with website
• 4b08f29 Sponsors: Sync README with website
• ebc1ba1 Sponsors: Sync README with website
• 2d654f1 Docs: add example .eslintrc.json (#15087)
• 16034f0 Docs: fix fixable example (#15107)
• 07175b8 8.0.0-rc.0
• 71faa38 Build: changelog update for 8.0.0-rc.0
• 67c0074 Update: Suggest missing rule in flat config (fixes #14027) (#15074)
• cf34e5c Update: space-before-blocks ignore after switch colons (fixes #15082) (#15093)
• c9efb5f Fix: preserve formatting when rules are removed from disable directives (#15081)
• 14a4739 Update: `no-new-func` rule catching eval case of `MemberExpression` (#14860)
• 7f2346b Docs: Update release blog post template (#15094)
• fabdf8a Chore: Remove `target.all` from `Makefile.js` (#15088)
• e3cd141 Sponsors: Sync README with website
• 05d7140 Chore: document target global in Makefile.js (#15084)
• 0a1a850 Update: include `ruleId` in error logs (fixes #15037) (#15053)

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples ([Snyk] Fix for 3 vulnerabilities #1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md ([Snyk] Security upgrade grpc from 1.22.2 to 1.24.11 #1859)
• 723cbc4 Docs: Fix syntax in recipe example ([Snyk] Fix for 1 vulnerabilities #1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration ([Snyk] Security upgrade celery from 4.3.0 to 4.4.0rc5 #1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos ([Snyk] Fix for 1 vulnerabilities #1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe ([Snyk] Fix for 1 vulnerabilities #1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API ([Snyk] Security upgrade tap from 5.8.0 to 18.0.0 #1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example ([Snyk] Security upgrade ava from 0.0.4 to 0.1.0 #1609)

See the full diff

Package name: gulp-eslint

The new version differs by 19 commits.

• a398838 4.0.0
• 18a4299 emit an error when it fails to load an ESLint plugin
• b8bf261 update ESLint from v3 to v4 ([Snyk] Security upgrade django from 1.6.1 to 2.2.27 #198)
• c0e82ce use `Buffer.from` instead of `new Buffer`
• e6c67a2 drop support for linting `Stream` contents
• 132d5cc Fix formatting issues in README.md ([Snyk] Security upgrade django from 1.6.1 to 2.2.27 #194)
• 7f65378 remove link to config file `globals` doc
• 8ddfb84 correct the type of `globals` option in README
• 6059c22 3.0.1
• b0c2816 ensure sharable config works
• 08b9212 test the case where babel-eslint is actually useful
• eb98701 mock stream-mode vinyl files with from2-string
• bcd7736 fix invalid `envs` option
• 286b0c4 remove unused fixtures
• e2723e1 Remove unnecessary `object-assign` dependency
• 82c1949 3.0.0
• 97d8638 Remove invalid options in example code
• 505779d Remove option aliases
• 7228608 Bump ESLint to v3.x and ES2015ify

See the full diff

Package name: gulp-istanbul

The new version differs by 20 commits.

• 502855e 1.1.2
• ac8f966 Add documentation for reportOpts and watermarks ([Snyk] Security upgrade django from 2.0.1 to 2.2.25 #121)
• be326d1 Update README.md to warn about gulp-mocha ([Snyk] Security upgrade django from 1.6.1 to 2.2.25 #120)
• b0149ac fix(package): update istanbul-threshold-checker to version 0.2.1 ([Snyk] Security upgrade sanitize from 4.6.2 to 4.6.2 #112)
• 7ec737a chore(package): update dependencies ([Snyk] Security upgrade cryptography from 2.6.1 to 3.2 #110)
• b047c82 Update .travis.yml
• a8dd45e 1.1.1
• 18ed282 Fix override default reporters ([Snyk] Security upgrade bl from 0.9.5 to 1.2.3 #101)
• 5aefe19 1.1.0
• 081c841 Bump dependencies
• eef2bb3 Update travis covered versions
• e94f537 Allow passing deep options to the instrumenter. Fix [Snyk] Security upgrade snyk from 1.101.1 to 1.230.7 #79
• d93e057 → Fix common cross-platform issue with file path normalization. ([Snyk] Security upgrade tap from 5.8.0 to 15.0.0 #86)
• d34854f Commented "supports es6" on isparta instrumenter ([Snyk] Security upgrade boxen from 0.3.1 to 4.1.0 #97)
• 200153d 1.0.0
• 8a07dbe gulp-sourcemap support ([Snyk] Security upgrade yargs from 11.1.0 to 15.0.1 #94)
• 99432aa Merge pull request [Snyk] Security upgrade tap from 11.1.3 to 15.0.0 #91 from nimrod-becker/master
• 5e79eb4 Remove opts.resolveAbsolutePaths option, simply don't path.resolve
• 27be6aa Provide an option to skip path resolution
• 293cf78 Update documentation Fix [Snyk] Security upgrade yargs from 11.1.0 to 15.0.1 #89

See the full diff

Package name: gulp-mocha

The new version differs by 48 commits.

• c1e272e 7.0.0
• 4924437 Update Mocha and require Node.js and Gulp 4
• cde8dc2 6.0.0
• 1fd70f0 Require Node.js 6
• fc5cc1f Reduce noise in console output on test failures ([Snyk] Security upgrade django from 1.6.1 to 2.2.27 #188)
• eb1f5cc Set color option to what is supported by the current env ([Snyk] Security upgrade django from 2.0.1 to 2.2.27 #190)
• c5da1d1 Update mocha to 5.2.0 ([Snyk] Security upgrade django from 1.6.1 to 2.2.27 #191)
• 983b0ac 5.0.0
• 7bc8d9c Add example of using the `exit` option ([Snyk] Security upgrade python from 3.6-slim to 3.8-slim #185)
• 3f53145 Add example of using reporterOptions in readme.md ([Snyk] Security upgrade node-fetch from 2.6.0 to 3.1.1 #179)
• 5045939 Improve usage example
• 64fef33 Bump Mocha to v4
• 06b96ba Meta tweaks
• ac3d7fc Drop dependency on deprecated `gulp-util` ([Snyk] Security upgrade django from 1.6.1 to 2.2.27 #187)
• 67b1e3e 4.3.1
• 315275f Rewrite tests to use AVA
• 4ac3c98 Cleanup
• 9ddcbd0 Convert objects to key value lists. Closes [Snyk] Security upgrade @google-cloud/profiler from 2.0.2 to 4.0.0 #167 ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.11.3 #171)
• 55004ca Fix `require` option for multiple entries ([Snyk] Security upgrade snyk from 1.101.1 to 1.230.7 #173)
• e878086 4.3.0
• 9cedf6e Increase the max buffer
• 43f4b4d 4.2.0
• edfa4dd Forward stderr too ([Snyk] Security upgrade sanitize from 4.6.2 to 5.2.1 #168)
• 9e5d38a Minor readme tweaks

See the full diff

Package name: gulp-nsp

The new version differs by 5 commits.

• f370b3b 3.0.0
• 92de632 refactor to use nsp@3.x, closes [Snyk] Security upgrade sqlite3 from 3.0.8 to 4.0.0 #39
• 28bf93c Merge pull request [Snyk] Security upgrade request from 2.57.0 to 2.76.0 #42 from asghol/master
• 3c9e0f5 No longer using gulp-util as it is deprecated, closes [Snyk] Security upgrade npm from 2.15.12 to 7.0.0 #41
• 23960ed updated drone config

See the full diff

Package name: mocha

The new version differs by 250 commits.

• 5f96d51 build(v10.1.0): release
• ed74f16 build(v10.1.0): update CHANGELOG
• 51d4746 chore(devDeps): update 'ESLint' to v8 (fix: bump nodejs-parser to 1.52.4 attempt 2 snyk/cli#4926)
• 4e06a6f fix(browser): increase contrast for replay buttons (Synchronizing CLI help from user-docs snyk/cli#4912)
• 41567df Support prefers-color-scheme: dark (chore: apply refactorings from a previous PR snyk/cli#4896)
• 61b4b92 fix the regular expression for function `clean` in `utils.js` (feat: build windows and linux binaries with fips enabled Microsoft Go Fork snyk/cli#4770)
• 77c18d2 chore: use standard 'Promise.allSettled' instead of polyfill (fix: update snyk-iac-capture now allowing to upload valid empty states snyk/cli#4905)
• 84b2f84 chore(ci): upgrade GH actions to latest versions (chore: remove smoke-tests.yml from github actions snyk/cli#4899)
• 023f548 build(v10.0.0): release
• 62b1566 build(v10.0.0): update CHANGELOG
• fbe7a24 chore: update dependencies (Synchronizing CLI help from user-docs snyk/cli#4878)
• 2b98521 docs: replace 'git.io' short links (feat: add options for snyk sbom snyk/cli#4877) [ci skip]
• 007fa65 chore(ci): add Node v18 to test matrix (Synchronizing CLI help from user-docs snyk/cli#4876)
• f6695f0 chore(esm): remove code for Node v12 (chore: asset classification snyk/cli#4874)
• 59f6192 chore(ci): conditionally skip 'push' event (feat: renew windows code signing certificate snyk/cli#4872)
• b863359 docs: fix 'fgrep' url (chore: update Go version to 1.21.1 snyk/cli#4873)
• baaa41a chore(ci): ignore changes to docs files (Feat: improved oauth support snyk/cli#4871)
• ac81cc5 refactor!: drop support of 'growl' notification (chore: set Node compatibility version to >=16 snyk/cli#4866)
• 3946453 chore(deps)!: upgrade 'minimatch' (fix: fix wrong project name change snyk/cli#4865)
• 592905b refactor!: rename 'bin/mocha' to 'bin/mocha.js' (chore: remove unnecessary install snyk/cli#4863)
• b7b849b refactor!: remove deprecated Runner signature (chore: Make license script used in build more portable snyk/cli#4861)
• 0608fa3 chore(site): fix supporters' download (fix: updated snyk-python-plugin package version snyk/cli#4859)
• 785aeb1 chore(test): drop AMD/'requirejs' (feat: use gw routing for code snyk/cli#4857)
• ed640c4 chore(devDeps): upgrade 'coffee-script' (feat: updated integrated iac naming snyk/cli#4856)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Improper Privilege Management
🦉 More lessons are available in Snyk Learn