[Snyk] Fix for 17 vulnerabilities

[luxiaojian]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESS-557358	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESSTAR-559095	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTMLMINIFIER-3091181	Yes	Proof of Concept
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	No Known Exploit
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: css-loader

The new version differs by 136 commits.

• 43179a8 chore(release): 1.0.0
• 3d53968 Merge remote-tracking branch 'origin/master'
• 240db53 version 1.0 (#742)
• 1b7acf7 Merge remote-tracking branch 'origin/master'
• 1703721 docs(README): add more context to `localIdentName` (#711)
• 1c51265 docs(README): fix malformed emoji (#701)
• 50f8ec0 Merge remote-tracking branch 'origin/master'
• 07444ad tests: css custom variables (#709)
• 3de8aa7 tests: css custom variables (#709)
• df497db chore(release): 0.28.11
• c788450 fix(lib/processCss): don't check `mode` for `url` handling (`options.modules`) (#698)
• c35d8bd chore(release): 0.28.10
• 9f876d2 fix(getLocalIdent): add `rootContext` support (`webpack >= v4.0.0`) (#681)
• 0452f26 test: hashes inside `@ font-face` url (#678)
• 630579d chore(release): 0.28.9
• 604bd4b chore(package): update dependencies
• d1d8221 fix: ignore invalid URLs (`url()`) (#663)
• 0fc46c7 chore(release): 0.28.8
• 333a2ce chore(package): update `dependencies`
• 39773aa ci(travis): use `npm`
• 8897d44 fix: proper URL escaping and wrapping (`url()`) (#627)
• 0dccfa9 fix(loader): correctly check if source map is `undefined` (#641)
• d999f4a docs: Update importLoaders documentation (#646)
• 05c36db test: removed redundant `modules` argument (#599)

See the full diff

Package name: eslint

The new version differs by 250 commits.

• a7985a6 6.0.0
• be74dd9 Build: changelog update for 6.0.0
• 81aa06b Upgrade: [email protected] (#11869)
• 5f022bc Fix: no-else-return autofix produces name collisions (fixes #11069) (#11867)
• ded9548 Fix: multiline-comment-style incorrect message (#11864)
• cad074d Docs: Add JSHint W047 compat to no-floating-decimal (#11861)
• 41f6304 Upgrade: sinon (#11855)
• 167ce87 Chore: remove unuseable profile command (#11854)
• c844c6f Fix: max-len properly ignore trailing comments (fixes #11838) (#11841)
• 1b5661a Fix: no-var should not fix variables named 'let' (fixes #11830) (#11832)
• 4d75956 Build: CI with Azure Pipelines (#11845)
• 1db3462 Chore: rm superfluous argument & fix perf-multifiles-targets (#11834)
• c57a4a4 Upgrade: @ babel/polyfill => core-js v3 (#11833)
• 65faa04 Docs: Clarify prefer-destructuring array/object difference (fixes #9970) (#11851)
• 81c3823 Fix: require-atomic-updates reports parameters (fixes #11723) (#11774)
• aef8ea1 Sponsors: Sync README with website
• 4f48f5a 6.0.0-rc.0
• 6bad650 Build: changelog update for 6.0.0-rc.0
• f403b07 Update: introduce minKeys option to sort-keys rule (fixes #11624) (#11625)
• 87451f4 Fix: no-octal should report NonOctalDecimalIntegerLiteral (fixes #11794) (#11805)
• e4ab053 Update: support "bigint" in valid-typeof rule (#11802)
• e0fafc8 Chore: removes unnecessary assignment in loop (#11780)
• 20908a3 Docs: removed '>' prefix from from docs/working-with-rules (#11818)
• 1c43eef Sponsors: Sync README with website

See the full diff

Package name: eslint-friendly-formatter

The new version differs by 44 commits.

• e2d0900 DOC: Generate changelog
• 1863038 BLD: Release v4.0.0
• 68de47b FIX: Make tests to pass for [Snyk] Fix for 3 vulnerable dependencies #23
• 414db03 Fix trailing color in new lines
• f1946c8 Merge pull request [Snyk] Security upgrade angular from 1.5.0 to 1.8.0 #31 from gartnera/master
• 23ad2ec Change iterm escape code
• 32a1e55 Update README.md
• 206719b Merge pull request [Snyk] Fix for 2 vulnerabilities #28 from hsxfjames/master
• 1951a8f Update tests snapshots after upgrading chalk.
• 25ff0b5 Upgrade chalk to v2.0.1 && DO NOT use removed method `chalk.stripColor`
• 747f1e6 FIX: make travis happy again, take 4
• 1c6c7a8 FIX: use chai-jest-snapshot
• d0b184e BLD: update nodejs in travis to 6x
• c42a40a FIX: Add snapshot testing to make it easier the testing
• a4e2d42 FIX: make travis happy again, take 2
• 3a431a9 FIX: make travis happy again
• 990a3a3 DOC: Generate changelog
• 6819e5e BLD: Release v3.0.0
• c79ee4d FIX: Make relative paths the default again
• 9ac3e48 DOC: Generate changelog
• 637842a BLD: Release v2.0.7
• 86f5588 BLD: update deps
• f83e205 DOC: Generate changelog
• cdeb9b2 BLD: Release v2.0.6

See the full diff

Package name: fs-extra

The new version differs by 77 commits.

• 2da7def README: Node v0.12 deprecation notice.
• f074627 1.0.0
• 3b48231 CHANGELOG: add issues
• d722ae9 Merge pull request #286 from agnivade/walkSync
• 87dd3c8 Merge pull request #307 from jprichardson/coverage
• 7448648 Fix coverage
• 597a98f Merge pull request #305 from jprichardson/coveralls
• 9d19da7 Merge pull request #306 from jprichardson/deps
• ab3c29c Update devDeps, fix lint error
• 662b78b Re-add Coveralls
• 6f3caef Merge pull request #304 from jprichardson/path-is-absolute
• bebbe78 Remove path-is-absolute
• d71d9b3 Merge pull request #303 from jprichardson/docs-copySync
• 916462b Document copySync filter inconsistency
• 0314876 Merge pull request #300 from jprichardson/rimraf
• a837927 Inline rimraf
• 071f8ce Fix typo
• f31b88e Merge pull request #301 from jprichardson/copySync-chmod
• ac6f688 Remove chmod call from copySync
• 23b2096 Merge pull request #299 from jprichardson/filter
• 9da4958 Warn when filter is a RegExp
• 7632804 Merge pull request #294 from jprichardson/ncp
• abfe0be Merge pull request #293 from jprichardson/travis
• 620992b Merge pull request #295 from jprichardson/filter-docs

See the full diff

Package name: html-loader

The new version differs by 122 commits.

• d7cccfa chore(release): 1.0.0
• 3c9a1d8 refactor: `attributes` option (#265)
• 8c73761 feat: `preprocessor` option (#263)
• f2ce5b1 feat: improve errors
• 9923244 chore(deps): update (#260)
• 9835bde feat: supports `link:href` attribute for css (#258)
• 7af2eff refactor: improve schema (#257)
• 98412f9 docs: `filter` sources (#256)
• ff0f44c feat: implement the `filter` option for filtering some of sources (#255)
• 1c24662 refactor: move the `root` option under the `attributes` option (#254)
• 888b8fe docs: add footnote for `-attributes` (#252)
• 3d2907e refactor: remove the `interpolate` option
• bd979e2 refactor: remove the `interpolate` option
• fcba4ec fix: handle only valid srcset tags (#253)
• 9e5ce56 perf: improve source parse (#251)
• c9c8dad refactor: improve source parse (#250)
• 079d623 fix: respect `#hash` in sources
• a17df49 fix: reduce `import`/`require` count
• d0b0150 fix: adding quotes when necessary for unquoted sources (#247)
• e3727ab test: minifier
• 0bbe29c feat: migrate on `htmlparse2`
• b7af031 fix: escape `\u2028` and `\u2029` characters (#244)
• 24b0427 fix: parser tags and attributes according spec (#243)
• 3df909d feat: support `script:src` attributes

See the full diff

Package name: html-webpack-plugin

The new version differs by 250 commits.

• eb73905 chore(release): 4.0.0
• 42a6d4a Add typing for getHooks
• a1a37cf Release html-webpack-plugin 4.0.0-beta.14
• 97f9fb9 fix: load script files before style files files in defer script loading mode
• e97ce17 Release html-webpack-plugin 4.0.0-beta.13
• e448b5d Release html-webpack-plugin 4.0.0-beta.12
• de315eb feat: Add defer script loading
• 7df269f feat: Provide a verbose error message if html minification failed
• 1d66e53 feat: merge templateParameters with default template parameters
• dfb98e7 Fix typo in template option docts
• 096a760 Fix broken links in examples
• a195c34 docs: Update template-option documentation
• 40b410e docs: Update example for template parameters
• bf017f3 chore: Release 4.0.0-beta.11
• 2549557 test: Don't use minification for speed measurement
• de22fc2 test: Adjust measurment for node 6 on travis
• 24bf1b5 fix: Update references to html-minifier
• f4eafdc chore: Release 4.0.0-beta.10
• a2ad30a refactor: Use getAssetPath instead of calling the hook directly
• 2595a79 chore: Release 4.0.0-beta.9
• c66766c feat: Add support for minifying inline ES6 inside html templates
• 655cbcd Fix README typo
• 6de319b update lodash dependency for prototype polution vulnerability
• 35a1541 Properly encode file names emitted as part of URLs.

See the full diff

Package name: node-sass

The new version differs by 250 commits.

• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (#3149)
• e80d4af chore: Drop EOL Node 15 (#3122)
• d753397 feat: Add Node 17 support (#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0
• bfa1a3c build(deps): bump actions/setup-node from 2.4.0 to 2.4.1
• 80d6c00 chore: Windows x86 on GitHub Actions (#3041)
• 566dc27 build(deps-dev): bump fs-extra from 0.30.0 to 10.0.0 (#3102)
• 7bb5157 build(deps): bump npmlog from 4.1.2 to 5.0.0 (#3156)
• 2efb38f build(deps): bump chalk from 1.1.3 to 4.1.2 (#3161)
• fca5257 build(deps): bump actions/setup-node from 2.3.0 to 2.4.0
• 6200b21 docs: Double word "support" (#3159)
• eaf791a build(deps): bump actions/setup-node from 2.1.5 to 2.3.0
• 16b8d4b build(deps): bump coverallsapp/github-action from 1.1.2 to 1.1.3
• c167004 6.0.1
• 911d4db remove mkdirp dep (#3108)
• 30a52f7 build(deps): bump meow from 3.7.0 to 9.0.0
• 7e08463 build(deps-dev): bump mocha from 8.4.0 to 9.0.1
• cfcbb2c chore: Use default Apline version from docker-node (#3121)
• 886319b chore: Drop Node 10 support
• c908f4f fix: Bump OSX minimum to 10.11

See the full diff

Package name: vue-loader

The new version differs by 59 commits.

• 6c6c3e8 version bump
• 3a74b46 bump deps
• f5c571d remove default babel configuration
• d3274ec make babel optional, tweak peer deps
• 840c31e remove default autoprefixer
• 4ca04e0 use node 6 on ci
• f957086 bump vue-template-compiler dep
• 2aa8f6b full test including template -> render compilation
• 9518db6 tests passing without template assertions
• 9f92234 centralize path normalization logic
• 9f00d51 simplify deps by dynamically normalizing path
• c6d2827 pass in filename for sourcemap
• 4dfef0e pass pad/map option to sfc parser
• 93212aa tweak css rewriter regex
• c9bd506 support 2.0 hot-reload
• 961c065 cleanup deps
• 2c20abf scoped css support
• 4768112 roughly working for 2.0
• bc90d83 8.5.2
• 66d2051 fix style-rewriter bug and add test case
• 674c3bc 8.5.1
• 654250e Merge branch 'master' of github.com:vuejs/vue-loader
• abd0453 pad results with whitespace - re This is an issue with the slush-cooking-vue generator ElemeFE/cooking#190 (#230)
• 9f2cc28 update docs

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 4be093d 2.2.0
• 2278469 2.2.0-rc.8
• b946eb4 Merge pull request #3988 from malstoun/bug/2664
• 260e413 Merge pull request #3986 from webpack/bugfix/revert_use_of_buffer_dot_from
• 0ec7de9 Fix regression with watch cli opt, add tests for this case
• 72226db add missing disable line
• 4d30675 build fresh yarn.lock file to remove buffer polyfill
• 91c1f35 fix(node): rollback changes of Buffer.from to new Buffer() and bump down travis to 4.3 min node v
• 0b47602 2.2.0-rc.7
• db6ccbc Merge pull request #3978 from webpack/bugfix/conditional-reexports
• 82a5b03 Merge pull request #3977 from malstoun/bug/2664
• fc1a43b Merge pull request #3976 from timse/rely-on-defaults
• a44694a hoist exports declarations too
• 682bde8 Fix lint
• c6d7d90 Add tests
• af8d49e remove defaults values to shave a few bytes
• 9796696 2.2.0-rc.6
• e9bdb05 Merge pull request #3971 from webpack/bugfix/fix_available_vars_in_fmtp
• bd45bdc add test case for global in harmony modules
• bfccb20 fix PR
• 5a3a23f fix(nmf): Fix exports for var injection to include free glob exports or arguments
• 437dce4 2.2.0-rc.5
• 91cb1df Merge pull request #3970 from webpack/ci/appveyor
• 9fd55e5 Merge pull request #3969 from webpack/bugfix/issue-3964

See the full diff

Package name: webpack-dev-server

The new version differs by 243 commits.

• 7e18f6a 2.2.0
• e9dd0ed Upgrade webpack dependency
• cae704f Update README to new standard
• d560695 Fix broken test after webpack update
• 84a98ad update webpack dev dependency
• a947336 Refactor to ES6
• fb74672 Bring eslint config in line with webpack/webpack
• 2f9ac82 Make Travis run Node.js v4 and v6
• bbcca86 Require Node.js v4.7 or higher
• fcf5f3c (fix) proxy config with bypass and without target (#721)
• 00bdcd5 2.2.0-rc.0
• cffd387 update webpack-dev-middleware dep
• 1adb818 Allow webpack 2 rc
• 658280d Update License to match with webpack/webpack
• 1f60309 2.1.0-beta.12
• 7eb7a92 Add warning for issues with Node.js v7
• 8a4b070 Fix colors in CLI not working when using stats as a string
• b072535 Simplify issue template
• 5efc245 Bring back reloading the app after compiler warnings
• 2a74a08 Fix tests after the schema change
• 4131be5 Disallow usage of `true` in `contentBase` option
• 10db4a7 Allow `none` as value for the `clientLogLevel` option
• a874303 2.1.0-beta.11
• 7cb0490 Fix `--open` flag opening wrong URL when using lazy mode

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn