[Snyk] Fix for 26 vulnerabilities

[one3chens]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-535498	Yes	Proof of Concept
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-535500	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Out-of-bounds Read SNYK-JS-NODESASS-540958	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Uncontrolled Recursion SNYK-JS-NODESASS-540964	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-NODESASS-540978	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	NULL Pointer Dereference SNYK-JS-NODESASS-540992	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-540998	Yes	Proof of Concept
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-NODESASS-541000	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-541002	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	Command Injection npm:shell-quote:20160621	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browserify

The new version differs by 42 commits.

• e19f256 12.0.0
• c881c07 update devdeps
• c77bf33 update glob and shell-quote
• c35f73e update builtins deps
• da949a1 update deps for streams3
• e3fbe7d update module-deps & fix symlink bug (also uses streams3)
• df43933 remove unused deps
• dca78a6 update browser-pack & fix charset bug (also uses streams3)
• 46aba9f use latest node in travis
• 76b60a9 remove node 0.8 from travis
• f5a82d8 Merge pull request GradlePluginGoogleServicesEnabled duplicated apache/cordova-docs#1362 from mnichols/master
• 185be39 Merge pull request chore(blog): announce meetup recording apache/cordova-docs#1393 from emilbayes/patch-1
• d48ec61 Merge pull request Remove Google Analytics from Archive Docs apache/cordova-docs#1396 from stevemao/patch-3
• d847221 travis: test on node4 not "4.0.0"
• a212016 Links to the wrong querystring module
• b7cf5be 11.2.0
• bb2a99d Merge pull request chore(deps): bump cookie and socket.io apache/cordova-docs#1361 from substack/fix-bare
• e781d9d Merge pull request chore(build)!: remove more gulp related dependencies apache/cordova-docs#1377 from demohi/patch-2
• 05d7861 update package.json version
• 85e4b9d 11.1.0
• c1c6b72 browserify adds the '.' in case you forget it
• 97a122e Update travis Node.js version & remove io.js
• 1b73d9b bump buffer to 3.4.3 to fix maximum call stack exceeded errors
• cf32d77 Exclude "process" and "buffer" when "bundleExternal === false"

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-footer

The new version differs by 8 commits.

• 2f0cce3 Update depencencies, closes [Snyk] Security upgrade browserify from 10.2.6 to 15.0.0 #17
• 822aaf3 Merge pull request [Snyk] Fix for 1 vulnerabilities #16 from MarcAbonce-Vidado/master
• 148797d update lodash.template dependency
• 27ccaa1 Update package.json
• 0895fdc Update README.md
• 491d418 2.0.2
• 1f66a8a Merge pull request [Snyk] Fix for 1 vulnerabilities #13 from Basa0/remove-event-streamer
• 4285533 Replaced event-stream with direct dependency

See the full diff

Package name: gulp-header

The new version differs by 88 commits.

• ade47bc 1.8.10
• 7fdf1ec legacy branch
• 2923410 2.0.2
• fc3e4a3 Fix support for file data (`gulp-data`)
• 3f76e6b 2.0.1
• 02c6477 don't ignore package-lock
• 60161bc bump version
• e57c98b ignore package-lock
• e6a6e33 replace deprecated gulp-util, remove object-assign, updte travis node versions to only 8
• 5bafd98 Update tests
• decbdc0 Drop dependency on deprecated `gulp-util`
• e1a2466 change assignment order for gulp-data support
• 0a49a85 add coffeescript-example closes [Snyk] Fix for 1 vulnerabilities #49
• 9b17c5e update travis.yml to current node versions
• 8cabb52 1.8.9
• 6e650e9 update docs, closes [Snyk] Fix for 1 vulnerabilities #51
• 586e2a2 Update package.json
• 4d21964 1.8.8
• f1c7a7d Add changelog and document the file and filename locals for templates
• 21cc4e4 Merge branch 'patch-1' of github.com:eisbehr-/gulp-header into pr-merge
• 84bd92f direct support for gulp-data
• 4fe47a4 Fixes undefined template local "filename"
• d27f5e8 Update README.md
• 42c61d8 1.8.7

See the full diff

Package name: gulp-less

The new version differs by 2 commits.

• 7d9df97 4.0.0
• cde149b Update accord to support [email protected] - closes CB-8438 cordova-docs documentation translation: cordova-docs apache/cordova-docs#269

See the full diff

Package name: gulp-sass

The new version differs by 42 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 (CB-13400 Restructure and test "Installing" instructions(part b) - Categorizing installation steps according to OSes apache/cordova-docs#802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue (Update Android API version table apache/cordova-docs#776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times (See PR #722 apache/cordova-docs#763)
• 7ab018e Migrate to the lodash package
• fa670c6 4.0.2
• fefa00e Revert package.json version bump
• 98254d2 Fix README typos
• 8a14419 Continue loading Node Sass by default
• 938afbe Add a note about synchronous versus asynchronous speed
• 7cc2db1 Make this package implementation-agnostic
• 643f73b Add documentation for synchronous code options
• 0b3c7e7 4.0.1
• daca90d Merge pull request CB-12404 Add [email protected] release blog post apache/cordova-docs#681 from DKvistgaard/master
• 71471c2 Declaring logError as function instead of arrow function.
• 450a7b8 4.0.0
• e9b1fe8 Fix node versions in appveyor.yml
• 44be409 Merge pull request CB-12224 - Added plugins release blog post apache/cordova-docs#667 from dlmanning/next
• 7656eff Adopt airbnb eslint preset
• 1293169 Bump autoprefixer@^8.1.0, gulp-postcss@^7.0.1
• 9fa817b Bump gulp-sourcemaps@^2.6.4

See the full diff

Package name: gulp-uglify

The new version differs by 9 commits.

• e4f9045 2.0.0
• 566ec6a refactor(tests): write tests with mocha
• 5651111 refactor(tests): replace `cmem` with `testdouble`
• b82387b refactor(tests): compose streams with `mississippi` utilities
• 1232c3c fix(errors): emit errors of type `GulpUglifyError`
• 5632cee fix(minifer): use `gulplog` for the warning
• 8160697 feat(minifier): use UglifyJS 2.7.0's input map support
• 3ec8fc3 chore(package): update uglify-js to version 2.7.0
• a9c55b9 doc(README): spelling mistake in example

See the full diff

Package name: less

The new version differs by 250 commits.

• e4f7551 v3.12.0
• 371185c v3.12.0-RC.2 (#3540)
• d5aa9d1 Fixes #3371 Allow conditional evaluation of function args (#3532)
• a722237 Remove lib folder from git (#3531)
• e0f5c1a Move changelog to root (#3530)
• f7bdce7 Duplicate dist files in root for older links (#3529)
• 0925cf1 Test-data module (#3525)
• 51fb02b Fixes #3504 / organizes tests (#3523)
• efb76ec Restore nuked scripts (?), replace dependencies (#3501) (#3522)
• 2c5e4dd Lerna refactor / TS compiling w/o bundling (#3521)
• a3641e4 Resolve #3398 Add flag to disable sourcemap url annotation (#3517)
• e018ba8 fix(#3294): use loadFileSync when loading plugins with syncImport: true (#3506)
• 95b9007 Update changelog
• 6238bbc Fixes #3508 (#3509)
• 8338366 Update README.md
• 6313bc5 Update changelog
• 53bf877 Remove tree caching in import manager (#3498)
• 0f271f3 issue#3481 ignore missing debugInfo (#3482)
• 3bd995b Additional check to avoid evaluating an expression if it is a comment (#3494)
• 0715d90 fix: Use make-dir instead of mkdirp (#3490)
• 2634494 Properly exit calc mode after use (#3493)
• 096dd22 Convert to auto-changelog (#3477)
• 842386b Fixes #3469 - Include tslib dependency (#3475)
• 1adaadb 3.11.0 (#3468)

See the full diff

Package name: node-sass

The new version differs by 250 commits.

• 3b556c1 7.0.2
• c716359 Bump sass-graph@^4.0.1 (#3292)
• 24741b3 docs(readme): fix docpad plugin link
• 1523330 feat: Drop Node 12
• 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
• 1456114 build(deps): bump actions/upload-artifact from 2 to 3
• b465b69 chore: bump GitHub Actions to Windows 2019 (#3254)
• e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
• 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
• 29e2344 build(deps): bump actions/checkout from 2 to 3
• 85b0d22 build(deps): bump actions/setup-node from 2 to 3
• 3bb51da Use make-fetch-happen instead of request (#3193)
• adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (#3000)
• 77d12f0 chore: disable Apline for Node 16/17 builds
• 308d533 ci: use Python 3 for Node 12
• c818907 ci: unpin actions/setup-node to v2
• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (#3149)
• e80d4af chore: Drop EOL Node 15 (#3122)
• d753397 feat: Add Node 17 support (#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 NULL Pointer Dereference
🦉 More lessons are available in Snyk Learn