[Snyk] Fix for 3 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-JSZIP-1251497	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: jszip

The new version differs by 18 commits.

• e5b3f0d 3.7.0
• e88ba4b Update for version 3.7.0
• 9046487 Disable proto assert that fails in browsers
• 6d029b4 Merge pull request #766 from MichaelAquilina/fix/files-null-prototype
• bb38812 Ensure prototype isn't modified by zip file
• d024c22 test: Add test case for loading zip filenames which shadow method names
• 2235749 fix: Use a null prototype object for this.files
• b7f472d Merge pull request #757: Update license to be valid spdx identifier
• a311039 update license to be valid spdx identifier
• 112fcdb 3.6.0
• 7c75dff Update changelog and build for 3.6.0
• 10035ad Update contributing
• dcc6ff9 Merge pull request #742 from jahed/fix/webpack-5-async-failure
• f4700f9 fix(browser): redirect main to dist on browsers
• 3db5fdc Merge pull request #734 from JayFate/master
• e534454 fix: duplicate require
• 25d401e Merge pull request #703 from vdoubleu/patch-1
• 9f13168 fix small error in read_zip.md

See the full diff

Package name: node-fetch

The new version differs by 7 commits.

• 1ef4b56 backport of #1449 (#1453)
• 8fe5c4e 2.x: Specify encoding as an optional peer dependency in package.json (#1310)
• f56b0c6 fix(URL): prefer built in URL version when available and fallback to whatwg (#1352)
• b5417ae fix: import whatwg-url in a way compatible with ESM Node (#1303)
• 18193c5 fix v2.6.3 that did not sending query params (#1301)
• ace7536 fix: properly encode url with unicode characters (#1291)
• 152214c Fix(package.json): Corrected main file path in package.json (#1274)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Denial of Service (DoS)