[Snyk] Fix for 78 vulnerabilities

[matrix-compute]

Snyk has created this PR to fix 78 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	****
	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	****
	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	****
	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	****
	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-USERAGENT-174737	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-USERAGENT-8309369	****
	Cross-site Scripting (XSS) SNYK-JS-WEBPACK-7840298	****
	Path Traversal SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	****
	Cross-site Scripting (XSS) SNYK-JS-ANGULAR-572020	756
	Prototype Pollution SNYK-JS-LODASH-567746	731
	Arbitrary Code Injection npm:growl:20160721	704
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	696
	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	696
	Denial of Service (DoS) SNYK-JS-ECSTATIC-540354	696
	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	696
	Prototype Pollution SNYK-JS-LODASH-6139239	696
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	696
	Prototype Pollution SNYK-JS-ANGULAR-534884	686
	Prototype Pollution SNYK-JS-LODASH-450202	686
	Prototype Pollution SNYK-JS-LODASH-608086	686
	Prototype Pollution SNYK-JS-LODASH-73638	686
	Prototype Pollution SNYK-JS-LODASHMERGE-173732	686
	Code Injection SNYK-JS-LODASH-1040724	681
	Code Injection SNYK-JS-LODASHTEMPLATE-1088054	681
	Improper Privilege Management SNYK-JS-SHELLJS-2332187	676
	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	646
	Cross-site Scripting (XSS) npm:angular:20171018	646
	Prototype Pollution SNYK-JS-JSON5-3182856	641
	Prototype Pollution SNYK-JS-LODASHMERGE-173733	636
	Prototype Pollution npm:lodash:20180130	636
	Information Disclosure SNYK-JS-SEMANTICRELEASE-1041706	635
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	631
	Prototype Pollution SNYK-JS-MINIMIST-559764	601
	Cross-site Scripting (XSS) SNYK-JS-KARMA-2395349	591
	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	589
	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	589
	Prototype Pollution SNYK-JS-MERGE-1040469	589
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	589
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	589
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	589
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	589
	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	589
	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	589
	Prototype Override Protection Bypass npm:qs:20170213	589
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	586
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	586
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	586
	Insecure Defaults SNYK-JS-SOCKETIO-1024859	586
	Cross-site Scripting (XSS) SNYK-JS-ANGULAR-471879	550
	Cross-site Scripting (XSS) SNYK-JS-ANGULAR-471882	550
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	541
	JSONP Callback Attack npm:angular:20150315	539
	Content Security Policy (CSP) Bypass npm:angular:20161101	539
	Cross-site Scripting (XSS) npm:angular:20180202	539
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	520
	Prototype Pollution SNYK-JS-MINIMIST-2429795	506
	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	506
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	506
	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	506
	Command Injection SNYK-JS-NODENOTIFIER-1035794	494
	Denial of Service (DoS) SNYK-JS-ANGULAR-471885	490
	Information Exposure SNYK-JS-LOG4JS-2348757	489
	Open Redirect SNYK-JS-ECSTATIC-174543	484
	Open Redirect SNYK-JS-KARMA-2396325	484
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	479
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	479
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	479
	Denial of Service (DoS) npm:ecstatic:20160809	479
	Cross-site Scripting (XSS) SNYK-JS-ANGULAR-570058	464
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	399

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Denial of Service (DoS)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/babel-eslint@10.1.0 🔁 npm/babel-eslint@4.1.3	Transitive: environment, filesystem	+6	263 kB	kaicataldo
npm/babel-loader@9.0.0 🔁 npm/babel-loader@5.3.2	Transitive: environment, eval, unsafe	+9	1.51 MB	nicolo-ribaudo
npm/babel@6.23.0 🔁 npm/babel@5.8.23	None	0	1.26 kB	loganfsmyth
npm/commitizen@4.2.5 🔁 npm/commitizen@2.7.2	eval Transitive: environment, filesystem	+71	1.38 MB	commitizen-bot
npm/eslint-plugin-mocha@1.1.0 🔁 npm/eslint-plugin-mocha@1.0.0	Transitive: environment, eval, filesystem, shell	+145	10.2 MB	lo1tuma
npm/eslint@9.0.0 🔁 npm/eslint@1.7.3	environment Transitive: eval, shell	+54	6.03 MB	eslintbot
npm/gulp@5.0.0 🔁 npm/gulp@3.9.1	Transitive: environment, filesystem, unsafe	+27	1.1 MB	phated
npm/http-server@0.13.0 🔁 npm/http-server@0.9.0	Transitive: environment, eval, shell	+37	2.04 MB	thornjad
npm/isparta-loader@2.0.0 🔁 npm/isparta-loader@1.0.0	None	0	3.85 kB	deepsweet
npm/isparta@4.0.0 🔁 npm/isparta@3.1.0	Transitive: environment, eval, filesystem, unsafe	+61	5.83 MB	douglasduteil
npm/istanbul@0.4.5 🔁 npm/istanbul@0.3.22, npm/istanbul@0.4.2	Transitive: environment, eval	+37	7.12 MB	gotwarlost
npm/karma-coverage@2.0.2 🔁 npm/karma-coverage@0.5.5	None	+4	115 kB	karmarunnerbot
npm/karma-webpack@5.0.0 🔁 npm/karma-webpack@1.7.0	filesystem Transitive: environment	+11	181 kB	ryanclark
npm/karma@6.4.3 🔁 npm/karma@0.13.22	filesystem Transitive: eval, unsafe	+137	10.1 MB	karmarunnerbot
npm/mocha@11.0.1 🔁 npm/mocha@2.4.5	eval Transitive: shell	+83	8.37 MB	voxpelli
npm/semantic-release@17.4.3 🔁 npm/semantic-release@4.3.5	network	+78	3.02 MB	semantic-release-bot
npm/validate-commit-msg@2.3.1	filesystem Transitive: shell	+4	76.8 kB	kentcdodds
npm/webpack-notifier@1.9.0	Transitive: environment, filesystem, network, shell	+6	5.81 MB	gvozd
npm/webpack@5.94.0	environment, filesystem, network, unsafe Transitive: eval, shell	+77	19.7 MB	evilebottnawi

🚮 Removed packages: npm/lodash@4.6.1

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Critical CVE	npm/babel-traverse@6.26.0	CVE: GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (CRITICAL) Affected versions: < 7.23.2 Patched version: No patched versions	package.json	⚠︎
Critical CVE	npm/underscore@1.6.0	CVE: GHSA-cf4h-3jhx-xvhq Arbitrary Code Execution in underscore (CRITICAL) Affected versions: >= 1.3.2, < 1.12.1 Patched version: 1.12.1	package.json	⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/babel-traverse@6.26.0
• @SocketSecurity ignore npm/underscore@1.6.0