[Snyk] Fix for 20 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • scripts/bench/package.json
  • scripts/bench/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Prototype Pollution SNYK-JS-HANDLEBARS-173692	No	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-174183	No	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-469063	No	No Known Exploit
	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	No	No Known Exploit
	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	No	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-534988	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	Directory Traversal SNYK-JS-NODEGIT-542720	No	No Known Exploit
	Improper Handling of Alternate Data Stream SNYK-JS-NODEGIT-542721	No	Mature
	Improper Handling of Alternate Data Stream SNYK-JS-NODEGIT-542722	No	No Known Exploit
	Improper Link Resolution Before File Access SNYK-JS-NODEGIT-542723	No	Mature
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit

Commit messages

Package name: http-server

The new version differs by 95 commits.

• e6f6358 0.12.0
• fee644f fix repo urls
• cd0bbc8 SSL Certificate Checking and Grammar Fixes (Removing unused prevState variable. facebook/react#479)
• 3c5dfc6 Test on osx (Don't mutate passed-in props facebook/react#576)
• 9fa7e93 Merge pull request Move __owner__ off of props facebook/react#575 from http-party/update-readme-badges
• 6b2fe25 test on osx
• 0f65fc6 update readme badges to use new repo
• a306ebc Merge pull request Make ReactEventTopLevelCallback-test pass facebook/react#573 from Xmader/test-on-windows
• 9a0f64f force to use ecstatic v3.3.2 in tests (Fix Travis to run tests properly facebook/react#574)
• 5f06ac8 bump ecstatic in package.json to ^3.3.2
• f96fc99 Merge branch 'master' into test-on-windows
• c1ea830 do a hacky workaround directly to the http-server package to fix… (Update Jekyll facebook/react#569)
• e708c79 force to install ecstatic v3.3.2 in tests
• 8028337 force to check out files with LF EOL
• 3addf09 test on Windows
• a2e7721 Merge branch 'master' into hacky-fix
• 6260536 Merge pull request Make it easy to run the browser tests on saucelabs facebook/react#510 from ebiiim/patch-1
• dbf4881 -t flag to control timeout (Community round-up #7 facebook/react#295)
• 901ca49 Merge pull request Inconvenient __owner__ assignment prevents updating a component facebook/react#557 from epugh/master
• a0db8f9 add process title (Error: Invalid target element for this operation -- IE9 facebook/react#515)
• da111d6 Update travis node versions (Fixes the name of the component on documentation facebook/react#507)
• afb8f4f Merge pull request Person is <<anonymous>> in IE, breaking tests facebook/react#516 from http-party/specify_engines
• de7cf70 Merge branch 'master' into update-travis-node-versions
• 1755478 Merge pull request Ensure ReactPerf always uses a string as a URL. facebook/react#572 from Xmader/fix-tests

See the full diff

Package name: lighthouse

The new version differs by 157 commits.

• e5f3a7b bump extension to 2.2.1
• 187c6d5 v2.2.1
• fe99052 fix(extension): Restore status logging to extension (Give context aware message if markup reuse fails facebook/react#2629)
• 5501779 v2.2.0
• 664b2d9 bump extension to 2.2.0
• fc39851 launcher to 0.3.0
• edbb40d fix(driver): move performance observer registration to setupDriver (Feature request: ability to configure a custom html escaping function. facebook/react#2611)
• b50bbfd docs (launcher): mention LIGHTHOUSE_CHROMIUM_PATH in readme
• 1bf0e07 update helpText for custom-splash.js ("Unable to find element" error on <option> elements facebook/react#2620)
• 2efc5d6 fix(event-listeners): Add missing DOM.enable (CSSTransitionGroup throws when a child returns null from render facebook/react#2619)
• 4f069b8 docs (hacking-tips): more details on docker travis
• 6d862b0 Remove /deep/ usage (ReactCSSTransitionGroup. How to specify component's properties? facebook/react#2371)
• 57bcf43 feat(config): add extends lighthouse:full (Support for default params with JSXTransformer's harmony flag. facebook/react#2557)
• 7b2e404 docs: headless doc was missing flag (Add top-level API docs section for React.createElement. facebook/react#2615)
• 2d7aca8 Merge pull request Add additional field for ART reconciler facebook/react#2593 from GoogleChrome/streamingjson
• 5363ba3 add streaming json parser
• 7d5e06e add streaming trace writer in saveAssets
• fadaef9 remove report v1 and dependencies (reactComponentExpect expects itself facebook/react#2596)
• 56eaa50 fix(driver): wait for CPU idle via clientside perfObserver (Add React at SoundCloud talk facebook/react#2473)
• 673c3ba CRC audit: child chain renders using its own transfersize. Fixes Replaced document.createElement with ReactTestUtil facebook/react#2597 (Update commonjs example for 0.12 facebook/react#2610)
• 5c8d4ec fix(report): use locale string for all our number output (Permit th headers attribute facebook/react#2553)
• f870d5e [cli] Move bin.ts core into -cli/run.ts (Warn if context values differ, related to issue #2 facebook/react#2602)
• 5d75194 Improve tests around chrome launcher and flags. (Replace mountDepth with isTopLevel facebook/react#2571)
• bb58523 plots: disable flaky smoke test ([RFC] Add enum utility function facebook/react#2606)

See the full diff

Package name: mime

The new version differs by 4 commits.

• eb24bae 1.4.1
• 855d0c4 Fix Ensure that the phantomjs binary has appropriate UNIX mode facebook/react#167
• 1f0af63 1.4.0
• 8d02be2 update to [email protected]

See the full diff

Package name: minimist

The new version differs by 13 commits.

• 6457d74 1.2.3
• 38a4d1c even more aggressive checks for protocol pollution
• 13c01a5 more failing proto pollution tests
• f34df07 1.2.2
• 67d3722 cleanup
• 63e7ed0 don't assign onto __proto__
• 47acf72 console.dir -> console.log
• 0efed03 failing test for protocol pollution
• 29783cd 1.2.1
• 6be5dae add test
• ac3fc79 fix bad boolean regexp
• 4cf45a2 Merge pull request [Snyk] Security upgrade fbjs from 0.8.18 to 2.0.0 #63 from lydell/dash-dash-docs-fix
• 5fa440e move the `opts['--']` example back where it belongs

See the full diff

Package name: nodegit

The new version differs by 250 commits.

• bdae091 Fix workflow for node 8 npm issue
• 0de3294 Bump to v0.26.3
• 36856a1 Merge pull request Question regarding todomvc-flux example and dispatching of actions facebook/react#1743 from implausible/security-fixes
• b5769a2 Bring in security patches from libgit2
• 1047f66 Bupm to v0.26.2
• 0683f2b Update README.md for inactive maintainers
• b66dd42 Merge pull request why does React.Children.only throw? facebook/react#1728 from implausible/feature/commit-walk-commit-models
• d7c9860 Use const qualifier more; use static_cast for void *
• 6ecd368 commitWalk optionally returns plain objects with gpgSignature data
• ee7b26c Bump to v0.26.1
• 7468f5e Merge pull request Why react freeze component? facebook/react#1723 from implausible/bump/libgit2
• 0ff6470 Bump libgit2 to latest fork of master
• 372635a Merge pull request Mutating element attributes leaves behind empty ones facebook/react#1722 from implausible/fix/optional-parameter-on-update-tips
• cd55298 updateTips: optional param and normalizeOptions
• 0228707 Enable builds on tags
• 3699ee9 Bump to v0.26.0
• b6e5fac In testing, retry npm install because of unsolved race condition
• d071af0 Merge pull request Iframes don't update when src's change. facebook/react#1720 from implausible/fix/async-remote-functions
• 46a3456 Merge pull request [jsx] Make sure we throw when we get XML namespaces facebook/react#1719 from implausible/patch/libssh2
• 95e0518 GitRemote upload and updateTips are async
• 129492d Update libssh2 to 1.9
• f2fea6a Merge pull request Event info is lost when handler is delayed facebook/react#1717 from henkesn/rebase-inmemory
• ee79dcb Add test for in-memory rebase
• b495715 Fix rebase using in-memory index

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	Prototype Pollution npm:extend:20180424	No Known Exploit
	Prototype Pollution npm:hoek:20180212	No Known Exploit
	Uninitialized Memory Exposure npm:stringstream:20180511	Mature
	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:

🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic