[Snyk] Fix for 29 vulnerabilities

[bamtron5]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	626/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.1	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	No	Proof of Concept
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	No Known Exploit
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASHSET-1320032	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	796/1000 Why? Mature exploit, Has a fix available, CVSS 8.2	Uninitialized Memory Exposure npm:http-proxy-agent:20180406	No	Mature
	796/1000 Why? Mature exploit, Has a fix available, CVSS 8.2	Uninitialized Memory Exposure npm:https-proxy-agent:20180402	No	Mature
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: del

The new version differs by 47 commits.

• cd0543e 6.0.0
• 6c99805 Require Node.js 10
• 1df5280 Readme tweaks
• 4acd962 Add tip about deleting subdirectories ([Snyk] Fix for 1 vulnerabilities #116)
• 1a0c36c Add mention of GitHub Sponsors
• 1e0d705 Tidelift tasks
• 892ce2a Make it clear that it recursively deletes directories ([Snyk] Security upgrade socket.io from 2.5.0 to 3.0.0 #113)
• 728cb7c Fix benchmark
• 557c1fa 5.1.0
• 12c443d Meta tweaks
• 01da91f Allow non-glob patterns with backslash on Windows ([Snyk] Fix for 1 vulnerabilities #100)
• 9c72270 Add benchmarks ([Snyk] Security upgrade typings from 0.6.10 to 0.7.0 #101)
• 1299747 Use graceful-fs ([Snyk] Security upgrade gulp-autoprefixer from 3.1.1 to 6.0.0 #108)
• f509a89 Update dependencies ([Snyk] Fix for 2 vulnerabilities #109)
• ca05c65 Sort removed files ([Snyk] Fix for 1 vulnerabilities #102)
• 51662ac Reverse order back for the returned paths ([Snyk] Security upgrade mongoose from 4.13.21 to 6.0.4 #99)
• 902b594 Meta tweaks
• ffbf4c4 Fix the `cwd` option ([Snyk] Fix for 2 vulnerabilities #96)
• 8efdbcd Prevent race condition on macOS when deleting files ([Snyk] Security upgrade socket.io from 2.4.1 to 3.0.0 #95)
• 9e7550b Add note about backward-slashes
• c071180 5.0.0
• a73462c Meta tweaks
• 6f96d2d Update globby to version 10 ([Snyk] Fix for 1 vulnerable dependencies #64)
• 6e23f6a Tidelift tasks

See the full diff

Package name: express-jwt

The new version differs by 15 commits.

• c4de5de 6.1.1
• 691fd6a Merge pull request #272 from ryanpcmcquen/prototype-pollution-vulnerability-fix
• 551bf40 Fix prototype pollution vulnerability.
• 354e1f8 6.1.0
• 3db0e6b Merge pull request #265 from pipeline1987/master
• 67bd3c4 upgrade express-unless dependency to v1.0.0
• 5cf9b0b Merge pull request #236 from auth0/dependabot/npm_and_yarn/lodash-4.17.19
• adf60bb Merge pull request #239 from auth0/update-changelog
• ed743a8 Updated changelog
• 61776e2 Bump lodash from 4.17.15 to 4.17.19
• 5fb8c88 Merge pull request #234 from gkwang/update-readme
• 43b7921 Update readme on 6.0.0 changes
• 678f3b0 6.0.0
• 7ecab5f Merge pull request from GHSA-6g6m-m6h5-w9gf
• 304a1c5 Made algorithms mandatory

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-autoprefixer

The new version differs by 27 commits.

• ede5a11 8.0.0
• a953087 Require Node.js 12 and upgrade dependencies
• 87ff53d Move to GitHub Actions ([Snyk] Security upgrade typings from 0.6.10 to 0.7.0 #117)
• c5e7214 7.0.1
• da50fd2 Make Gulp an optional peer dependency
• 40fba84 7.0.0
• ab49120 Require Node.js 8 and Gulp 4
• 83cc576 Enable the repo sponsor button
• adec1a7 6.1.0
• 7b080bf Upgrade dependencies
• dfe3919 6.0.0
• c225cbd Upgrade `autoprefixer` and `postcss`
• ea0b7f8 Require Node.js 6
• 18a27be 5.0.0
• e526a78 Meta tweaks
• e954e6e Update sourcemap paths to be relative to `file.base` ([Snyk] Security upgrade gulp-notify from 2.2.0 to 3.0.0 #92)
• 7828646 Upgrade to Autoprefixer 8 ([Snyk] Fix for 2 vulnerabilities #96)
• d008588 4.1.0
• 27816c3 Meta tweaks
• 94f3447 Drop dependency on deprecated gulp-util ([Snyk] Security upgrade mongoose from 4.13.21 to 5.12.3 #94)
• 60aead3 Test against Node.js v8 ([Snyk] Security upgrade ejs from 2.7.4 to 3.1.6 #90)
• 5188604 4.0.0
• 04814b7 Rewrite tests to use AVA
• 7df69ba ES2015ify, bump postcss, require Node.js 4

See the full diff

Package name: gulp-babel

The new version differs by 4 commits.

• 8e6fa78 7.0.0
• 8afcd30 make babel-core a peerDep, similar to babel-loader ([Snyk] Security upgrade socket.io from 2.5.0 to 3.0.5 #122)
• 744f633 7.0.0-alpha.18
• 21bf286 Babel 7 alpha ([Snyk] Security upgrade gulp from 3.9.1 to 4.0.0 #112)

See the full diff

Package name: gulp-clone

The new version differs by 6 commits.

• 3252782 2.0
• f3a113e Test on Node 4 and up
• 6ebd1e4 1.1.1
• db8ea95 Update chai and mocha
• 4ba729d 1.1.0
• 918beb6 Replace deprecated gulp util (Fixes Create sign up component, API, Service Method #6)

See the full diff

Package name: gulp-concat-css

The new version differs by 3 commits.

• 8d11ad5 3.0.0
• e8f7ad3 Merge pull request Gulp TSC #44 from TheDancingCode/pr/remove-gutil
• 2266a2c Drop dependency on deprecated `gulp-util`

See the full diff

Package name: gulp-copy

The new version differs by 35 commits.

• 433c976 Bump version
• ffde364 Merge pull request Add roles #25 from grig0ry/drop-deprecated
• ddd05a4 Replace deprecated dependency gulp-util
• cf6bd7a Merge pull request Performance refactoring #23 from OmgImAlexis/master
• ff8ff0c fix syntax highlighting
• d21a458 Release bugfixes version 1.0.1
• 6c6b293 Merge pull request Sign up page should display a success message #22 from klaascuvelier/fixes
• 216f00a Updates
• 5bd080c Update options
• ab171d2 Merge pull request Validation for signup #20 from klaascuvelier/major-update
• 5131700 update readme
• d812177 add some example data
• 1e69d09 add example to repo
• bde5166 Update path exists
• e8a8fba add master build status
• 82a30a4 add version badge
• 80121dd fix syntax error
• e3c96bd clean up
• 8df47cb update version
• 15fbbf6 update readme
• c776778 Add some tests
• 4caa555 Move logic to lib
• bd0aad4 don't add example to repo
• ca8e4c7 add lint command

See the full diff

Package name: gulp-flatten

The new version differs by 12 commits.

• 0119b8c new verstion with dropped deprecated deps
• 14b1908 tests now passes on node 9.x.x
• fc2e3f9 Merge pull request Add logout to user api and service #15 from TheDancingCode/issue-14
• bff1212 Drop dependency on deprecated `gulp-util`
• 8a83216 exapmple output fix
• 04c2b46 v0.3.1
• 7fc66c4 refactor: nested functions was defined on each call
• 2229a21 bump v0.3.0
• 48a1557 update deps
• ce64bc0 Merge pull request Hero Unit w/ Theme-ability #11 from fkammer/new-subpath-option
• 0b24d9c Updated Readme
• a5c26a7 Adds option subPath

See the full diff

Package name: gulp-less

The new version differs by 11 commits.

• 9d9e96f chore: update deps, publish v5
• ea13d8a Merge pull request #313 from MisterLuffy/master
• 7ce4b9b feat: support less v4
• 1a9d694 Merge pull request #314 from stamminator/master
• b1a3e18 Update .travis.yml
• ecacdf7 Fix links after moving repo
• 403b696 4.0.1
• 0678856 Upgrade less version to 3.7.1
• 6114989 Update README.md (#292)
• 7d9df97 4.0.0
• cde149b Update accord to support less@3.0.0 - closes #269

See the full diff

Package name: gulp-notify

The new version differs by 25 commits.

• 398d0a4 v3.1.0
• fc51ff2 Merge pull request [Snyk] Security upgrade nodemailer from 2.7.2 to 4.0.1 #124 from ohbarye/replace-gulp-util
• 46efdc6 Move vinyl to devDependencies
• 173fcb0 Use ansi-colors instead of chalk due to node version compatibility
• 1e8c372 Remove unused through import
• 3284a51 Drop dependency on deprecated gulp-util
• 455250c npm install chalk fancy-log plugin-error lodash.template vinyl
• 658efc5 v3.0.0
• b1ba7a2 Adds changelog for bump with node-notifier
• 7d6944e Updates all dependencies
• 08244ea Adds log files to ignore
• 8df5320 Bumps node-notifier dependency to latest
• 507e21f Merge pull request [Snyk] Security upgrade express-jwt from 5.3.3 to 6.1.2 #105 from queicherius/patch-1
• f32b692 Update node-notifier dependency
• f5d3f46 Merge pull request [Snyk] Security upgrade gulp-rtlcss from 1.4.2 to 2.0.0 #103 from Toby-S/patch-1
• bbcc4d1 Correct indent_style in .editorconfig
• c0d7501 Update README.md
• 21eed88 Update README.md
• 084f6a1 Adds support for overriding host/port/appname onError. Fixes [Snyk] Security upgrade typings from 0.6.10 to 0.7.0 #91
• e45ef63 Merge pull request [Snyk] Security upgrade typings from 0.6.10 to 0.7.0 #85 from stevelacy/patch-1
• ef56795 Update license attribute
• 80a4c0d Merge pull request [Snyk] Fix for 1 vulnerable dependencies #72 from dhruska/master
• 0783a5c Typo fix in README
• b4e95ec Merge pull request [Snyk] Fix for 2 vulnerable dependencies #71 from Andorbal/master

See the full diff

Package name: gulp-print

The new version differs by 16 commits.

• d9353ec 3.0.0
• d64cc43 Merge pull request Email confirmation setup for signup #19 from alexgorbatchev/greenkeeper/mocha-5.0.0
• 807f01b Merge branch 'master' into greenkeeper/mocha-5.0.0
• d181d50 Merge pull request Implement form tokens for Security #17 from TheDancingCode/pr/remove-gutil
• 7e02c8a chore(package): update mocha to version 5.0.0
• 4c2f3e0 Drop dependency on deprecated `gulp-util`
• f218ad2 Merge pull request GetTodo list should not be recalled after submission #16 from alexgorbatchev/greenkeeper/mocha-4.0.1
• 9fb86af Merge branch 'master' into greenkeeper/mocha-4.0.1
• 06d97dd Updates travis to use node v6 and v8
• 0f78882 Merge pull request Add logout to user api and service #15 from alexgorbatchev/greenkeeper/chai-4.1.2
• fb24f18 Merge pull request Style guide and prototype #14 from alexgorbatchev/greenkeeper/sinon-4.0.1
• 4869c10 chore(package): update mocha to version 4.0.1
• 48e5be4 chore(package): update sinon to version 4.0.1
• cbf0a9b chore(package): update chai to version 4.1.2
• aa1a949 Merge pull request Create profile model, service, api #9 from alexgorbatchev/greenkeeper/update-all
• f317075 chore(package): update dependencies

See the full diff

Package name: gulp-uglify

The new version differs by 9 commits.

• e4f9045 2.0.0
• 566ec6a refactor(tests): write tests with mocha
• 5651111 refactor(tests): replace `cmem` with `testdouble`
• b82387b refactor(tests): compose streams with `mississippi` utilities
• 1232c3c fix(errors): emit errors of type `GulpUglifyError`
• 5632cee fix(minifer): use `gulplog` for the warning
• 8160697 feat(minifier): use UglifyJS 2.7.0's input map support
• 3ec8fc3 chore(package): update uglify-js to version 2.7.0
• a9c55b9 doc(README): spelling mistake in example

See the full diff

Package name: gulp-watch

The new version differs by 7 commits.

• 80cd83e 5.0.1
• 6fe8912 Replace deprecated gulp-util (#303)
• 959128a 5.0.0
• 9208d48 Bump chokidar to ^2.0.0
• 02bd06d Update to newest vinyl for gulp 4 support (#296)
• 4ced696 Add Node.js 9 and increase timeout to 5 secs
• aa8146f Remove unsupported versions of Node.js

See the full diff

Package name: nodemailer

The new version differs by 4 commits.

• eaef3b5 Merge pull request #719 from nodemailer/v3.0.0
• de5b6f6 updated license
• 652ad8e Do not use PRO in name
• 6218b8d Setup files for EUPL licensed v3.0.0

See the full diff

Package name: run-sequence

The new version differs by 15 commits.

• 31103da 2.2.1
• 209e46c Drop dependency on deprecated `gulp-util` ([Snyk] Fix for 1 vulnerabilities #100)
• 37e17be 2.2.0
• c450122 Changelog, cleanup for orchestration events change
• 2155560 handle orchestration aborted events ([Snyk] Security upgrade gulp-autoprefixer from 3.1.1 to 6.0.0 #97)
• 066b8c6 2.1.0
• dada3f4 Added date to v1 in changelog
• f2b1635 Added options, code cleanup
• 578d017 Added a changelog, Closes [Snyk] Security upgrade typings from 0.6.10 to 2.1.1 #82
• 9fd7783 2.0.0
• d80ddf5 Specify chalk version ([Snyk] Security upgrade socket.io from 2.4.1 to 3.0.0 #89)
• 59515cf Fixed typo
• 7e263af Ignore yarn lock when publishing
• b83cc34 Adding Yarn lockfile
• ee04d48 Added modern node versions to travis ci ([Snyk] Fix for 1 vulnerable dependencies #73)

See the full diff

Package name: typings

The new version differs by 197 commits.

• ce773a3 2.1.1
• 2dfd06b Avoid printing "no dependencies", print uninstall
• 657bd4a chore(package): update tslint-config-standard to version 5.0.0 (#788)
• 60aa87a chore(package): update tslint to version 5.0.0 (#786)
• 6afabc9 chore(package): update ts-node to version 3.0.0 (#783)
• aba62db Update `typings-core` to latest build
• 04ff2fb Update TSLint
• 46d6ab3 fix(package): update update-notifier to version 2.0.0 (#770)
• 74a60d9 chore(package): update tslint-config-standard to version 3.0.0 (#761)
• 25309fd fix(package): update cli-truncate to version 1.0.0 (#758)
• a7e34df chore(package): update ts-node to version 2.0.0 (#752)
• afc99a2 v2.1.0
• fed00bf Update generated documentation
• 454fd1f Update bin-install.ts (#744)
• ebecc13 Update README.md (#742)
• c67bd61 Update build to use native promises
• 23e4906 Document supported node versions in FAQ (#737)
• e42ec68 Update TSLint
• 68c9af7 chore(package): update tslint-config-standard to version 2.0.0 (#731)
• ffc6497 v2.0.0
• f36b453 fix(package): update typings-core to version 2.0.0 (#725)
• 4d76d44 Document effect of `NODE_ENV=production` on the `typings install` command (#721)
• af50263 chore: drop support for Node.js 0.10 (#722)
• d42cd13 v1.5.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn