[Snyk] Fix for 22 vulnerabilities

[jtgiri]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • deps/npm/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	No	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NPMUSERVALIDATE-1019352	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary File Overwrite SNYK-JS-TAR-174125	Yes	Proof of Concept
	434/1000 Why? Has a fix available, CVSS 4.4	Time of Check Time of Use (TOCTOU) npm:chownr:20180731	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Timing Attack npm:http-signature:20150122	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
	756/1000 Why? Mature exploit, Has a fix available, CVSS 7.4	Uninitialized Memory Exposure npm:npmconf:20180512	Yes	Mature
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Symlink File Overwrite npm:tar:20151103	Yes	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: chownr

The new version differs by 18 commits.

• 76c21fa 1.1.0
• e8f0dc7 auto-publish scripts
• b196e0e add tests for old readdir support
• e06dd8a Avoid unnecessary stats on node v10.10 and above
• 36a93e3 use lchown to address part 1 of TOCTOU issue
• a631d84 use lchown instead of chown, if available
• cdd4ce7 use modern JavaScript
• d548650 update tap
• 924de1e update travis
• c6c4384 v1.0.1
• 282c80a only one license
• 27669c7 only include the js file
• 4f72743 v1.0.0
• c3fef71 Minor style nits, and make tests quieter
• 09c2a63 tests: change a list of groups for the localized group names
• c828976 add tests for skip symlink
• 37c0acc skip symlink
• 16da29f tap@1.2.0 and travis-ci

See the full diff

Package name: glob

The new version differs by 142 commits.

• 3a7e71d v5.0.15
• 841fda0 use latest minimatch
• 4ba54a8 Skip some tests on Windows, make others pass
• 3936e1e Build: Add build for node v4
• c47d451 v5.0.14
• 821fac8 Handle ENOTSUP for sync glob as well as async
• 9625618 Test for when readdir raises ENOTSUP
• 0a2b519 Generate fixtures more effectively, with -O instead of eval
• f96190b Use js for benchmark cleanup
• 957fd93 Fix some 'use strict' errors
• bf3381e Treat ENOTSUP like ENOTDIR in readdir
• 507733d v5.0.13
• f5878af Do not emit 'match' events for ignored items
• 9439afd v5.0.12
• 6071f3a Revert "Use graceful-fs if available"
• 38ff16c v5.0.11
• f09292b Use graceful-fs if available
• 4f39b60 Remove duplicate option description
• e3cdccc v5.0.10
• 480da05 ignore .nyc_output, upgrade tap, use coverage, rm fixtures
• 155124b add more sync cb thrower tests
• f7302ca Test base-matching
• 7530e88 v5.0.9
• b185987 reduce cases where tests need to be regenerated

See the full diff

Package name: ini

The new version differs by 27 commits.

• 2da9039 1.3.6
• cfea636 better git push script, before publish instead of after
• 56d2805 do not allow invalid hazardous string as section name
• 738eca5 v1.3.5
• da3e2c4 ignore coverage
• 9868eb4 package lock
• 6d8b7c8 auto-publish scripts
• ca69873 bring test coverage up to 100%
• 2ad741b update standard for more standardizations
• ad2b547 Update tap and travis
• 872b7ad Allow the module to be used in any CommonJS environment
• 5992138 tap 2
• 3aa2408 standard javascript style
• 4a3001a v1.3.4
• f9ba09a Add pkg.files to ignore files when npm publish
• 666d4ce travis: install new npm before install
• c356c4e tap 1.2.0 and travis
• 566268f v1.3.3
• 9c3b405 Safe encode values with = in them
• bbe4a8b v1.3.2
• 8e3ab42 isc license
• f473c0c v1.3.1
• 3ab64d4 isc license
• 6c31494 v1.3.0

See the full diff

Package name: init-package-json

The new version differs by 22 commits.

• c09029c 1.3.1
• 017da5e updated devDependencies
• 14b18e3 glob@5.0.3
• 08ff26a validate-npm-package-name@2.0.1
• 2747f41 update scope so it assumes the @ is there
• 2717d3e tweak for read-package-json@latest and promzard@3
• e51cdc4 Validate name
• 5327351 1.3.0
• f57d51f test: tweak roving slash
• 9c20a51 Add supporting scope option
• 6c07431 1.2.0
• ad38432 author URLs are now getting normalized
• 561f042 Add support for save-exact flag in npm-init
• b766900 1.1.3
• 062a3e0 dotted values should override dashed defaults
• 3c72949 1.1.2
• 3b3312a config values can be dotted OR dashed
• a4df4e5 1.1.1
• 5698330 add .gitignore
• 50c7c55 ensure that npm environmental config gets used
• f6ced3c 1.1.0
• 167bccf Make init prompt optional

See the full diff

Package name: minimatch

The new version differs by 49 commits.

• 81edb7c v3.0.2
• 6944abf Handle extremely long and terrible patterns more gracefully
• 8ac560e v3.0.1
• 4f3a8bc update tap
• 9cf2d88 Remove mentions of cache from readme
• 7df236f Use svg instead of png to get better image quality
• 361f803 Fixes spelling mistake from "instanting" to "instantiating"
• ea0c690 update travis
• 270dbea v3.0.0
• 668a1f4 Don't package browser version
• 6afb85f v2.0.10
• 6c14860 Do not crash on nested negative extglobs
• 5adde89 v2.0.9
• 2705792 ignore coverage output
• 8ea7ebd Do not fall for partial negative lookahead matches
• c2ce2b0 Tests for negated extglob support
• 66b2d9d Run lint after tests, not before
• 5906879 Adding browserify -s to generate a UMD bundle
• e9f7aae before_script needs to be before_install
• 20bd80c don't blow up on new __coverage__ global
• 1234041 tap 1.2.0 and travis
• 0bc7d9c v2.0.8
• 1056320 isc license
• 4bd6dc2 v2.0.7

See the full diff

Package name: node-gyp

The new version differs by 203 commits.

• 41f2b23 4.0.0
• 35e765b doc: update changelog
• ceed5cb deps: updated tar package version to 4.4.8
• 374519e Upgrade to tar v3
• e6699d1 test: fix addon test for Node.js 12 and V8 7.4
• 0c6bf53 lib: use print() for python version detection
• 9a404d6 3.8.0
• 9b9d98f doc: update changelog
• c5929cb doc: update Xcode preferences tab name.
• 8b488da doc: update link to commit guidelines
• b4fe8c1 doc: fix visual studio links
• 536759c configure: use sys.version_info to get python version
• 94c39c6 gyp: fix ninja build failure (GYP patch)
• e8ea74e tools: patch gyp to avoid xcrun errors
• ea9aff4 tools: fix "the the" typos in comments
• 207e5aa gyp: implement LD/LDXX for ninja and FIPS
• b416c5f gyp: enable cctest to use objects (gyp part)
• 40692d0 gyp: add compile_commands.json gyp generator
• fc3c4e2 gyp: float gyp patch for long filenames
• 8aedbfd gyp: backport GYP fix to fix AIX shared suffix
• 6cd84b8 test: formatting and minor fixes for execFileSync replacement
• 60e4213 test: added test/processExecSync.js for when execFileSync is not available.
• 969447c deps: bump request to 2.8.7, fixes heok/hawk issues
• 340403c win: improve parsing of SDK version

See the full diff

Package name: npm-registry-client

The new version differs by 151 commits.

• 250563a 7.0.1
• 8a4d3f7 chownr@1.0.1
• 643cc11 7.0.0
• 42a22f7 test: access api tests
• 28c4507 access: rewrote access api with other commands
• ee3a9f0 test: team api tests
• 0269da7 team: implemented api for npm team
• efe7e5a request: set pkgid, statusCode, and code on error
• e39ae11 request: don't return error as String
• dbb351a 6.5.1
• 4f686fd allow semver@5
• f737014 6.5.0
• 177d37a Updated ping command to stick to The New Way
• 9ab131e Add ping command
• 10d4d4c tap@1.2.0
• a8d3193 6.4.0
• 0d2c807 allow publish to existing mixed case names
• bd0ab6f 6.3.3
• 40c445f Use a https schema so the example works
• 2e1b2a5 decode the package name from the request URL
• dd40299 6.3.2
• 856eefe don't send body on GET requests
• 0d59a9b 6.3.1
• 3b8fc42 6.3.0

See the full diff

Package name: npm-user-validate

The new version differs by 6 commits.

• 5c5471c 1.0.1
• c8a87da fix: update email validation
• cd75393 Publish only the minimum of files
• df602d6 1.0.0
• ac3b200 fix: added regex for blocking illegal characters in usernames
• c800063 fix: update build environment

See the full diff

Package name: read-installed

The new version differs by 20 commits.

• 50e45af v3.1.3
• 9fb73fb allow semver@4
• 078d83b 3.1.2
• 829642f include devDeps of linked dependencies as well as root
• 30e5bc2 3.1.1
• dc46e4d add a test for dev deps being extraneous
• f733a80 Don't include devDependencies past the first level
• 1dbabc0 v3.1.0
• b20b250 use readdir-scoped-modules to read @ scope/foo packages
• 7d7aab1 v3.0.0
• c420db4 use debuglog module
• a608a4b Better variable names, and remove unnecessary semicolons
• b0e29bb Leave unmet deps as strings, don't set to null
• 669669a make fuSeen run-specific, not module-specific
• bef9eb2 Find extraneous deps properly
• 98b2972 Do not cache forever at the module-level, only per-run
• b2a475c Add top-level env-triggered debug function
• 64afa12 test showing failure to detect extraneousness of cyclic peer dev deps in non-dev mode
• 0aeb36a simple test cleanup
• 2fb48a4 Peer dep extraneousness inherits from peer

See the full diff

Package name: read-package-json

The new version differs by 14 commits.

• 74cdfd0 1.3.3
• 6bc4d63 glob@5.0.3
• 9f05db9 test: enforce style rules when testing
• 2ba7a73 src: standardize read-package.json
• 580e759 remove redundant dependencies
• b746f65 fix caching problem
• d307d82 1.3.2
• 52e2808 dep: use a tap made this century
• 89c1148 use json-parse-helpfulerror
• 3e2f7da test: forgot to check in fixture
• 59011e6 1.3.1
• 709976e sometimes the bin mapping is empty
• 81fd5f7 1.3.0
• 35cef90 Validate scripts in 'bin', warn if they don't exist.

See the full diff

Package name: semver

The new version differs by 45 commits.

• 22e583c v4.3.2
• c80180d Prevent version strings > 256 chars, or with giant numbers
• fa9be2b v4.3.1
• 27483aa fix github URL
• 12c0304 v4.3.0
• 372f0bf rename test file and s/tabs/spaces/g
• 93a9d8a Added functions to extract major, minor, patch version
• d2806e6 4.2.2
• 46d5fa0 sometimes vim is not my friend
• bdfb195 4.2.1
• 7b2bdc8 fix example rendering
• d62c5f1 Merge pull request #117 from Hypercubed/patch-1
• 01c37c3 Update README.md
• 2105629 Ensure prerelease versions are compared by Ascii value
• f353d33 v4.2.0
• 89eabc1 diff(v1, v2)
• f43cb35 4.1.1
• 6cec0db what is "rubygems"
• 1a8c300 updated readme to match 4.1.0 release
• f8db569 v4.1.0
• 29597c0 inc(pre,id): Only put a single .0 after the id when non-numeric
• 8e84b19 Add support for prerelease identifiers
• 58c9714 v4.0.3
• 078061b v4.0.2

See the full diff

Package name: tar

The new version differs by 250 commits.

• 3e35515 4.4.18
• 52b09e3 fix: prevent path escape using drive-relative paths
• bb93ba2 fix: reserve paths properly for unicode, windows
• 2f1bca0 fix: prune dirCache properly for unicode, windows
• 9bf70a8 4.4.17
• 6aafff0 fix: skip extract if linkpath is stripped entirely
• 5c5059a fix: reserve paths case-insensitively
• fd6accb 4.4.16
• 53cea6e tests: run (and pass) on windows
• 166cfc0 fix: refactoring to pass tests on Windows
• ce5148e fix: refactoring to pass tests on Windows
• 3f2e2da fix: normalize paths on Windows systems
• e29a665 fix: properly prefix hard links
• fd2a38d chore: WriteEntry cleaner write() handling
• 7b2acc5 update deps
• 83bb22c WriteEntry backpressure
• 0dcc5b2 chore: track fs state on WriteEntry class, not in arguments
• adf3511 Avoid an unlikely but theoretically possible redos
• d688cad fix: properly handle top-level files when using strip
• ea6f254 unpack: keep path reservations longer
• b2a97e1 Address unpack race conditions using path reservations
• f0fe3aa basic path reservation system
• 843c897 4.4.15
• 46fe350 Remove paths from dirCache when no longer dirs

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary File Write
🦉 Arbitrary File Write
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn