[Snyk] Fix for 15 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-DOTPROP-543489	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: documentation

The new version differs by 218 commits.

• 3cbe75d chore(release): 13.1.1
• d775612 deps: Update highlight.js. (feat: check for github actions updates weekly ipfs/aegir#1348)
• 780a8a1 Dependency update bumps (deps: bump @typescript-eslint/eslint-plugin from 5.62.0 to 6.2.1 ipfs/aegir#1345)
• 00b3478 docs: Add TypeScript usage example (fix: hard code mocha runner for pw-test ipfs/aegir#1343)
• 24bbfd4 chore(release): 13.1.0
• dd71624 deps: Update babel dependencies and module-deps-sortable
• bc3233f feat: Add event members to md output (deps: bump playwright-test from 8.4.0 to 11.0.4 ipfs/aegir#1336)
• a366d95 chore(release): 13.0.2
• 325bfad deps: Update yargs dependency.
• a8b6ce1 fix: Additional safety around detecting functions in HTML output
• 78c6a5a chore(release): 13.0.1
• 5f55bb4 chore: Update dependencies
• 2da9d6f try fixing test again ;D
• 28867f8 Fix tests
• 71ceea2 refactor: 💡 type section is redundant and not formatted
• 01b1c2e fix comment typo
• 106945c fix: 🐛 Fixes an issue when using object spread and $Exact
• 78db9a4 fix: 🐛 Error with flow opaque type and readme command
• 35359ab chore(release): 13.0.0
• 45a5257 chore: Update Node minimum version to 10
• 9f3db52 deps: Update chokidar, bump yarn.lock
• e5cbb24 chore(release): 12.3.0
• 443c3ba test: Just test in v12
• d0ec029 feat: upgrade babel dependencies

See the full diff

Package name: eslint

The new version differs by 148 commits.

• 36ced0a 5.0.0
• 5fd5632 Build: changelog update for 5.0.0
• 0feedfd New: Added max-lines-per-function rule (fixes #9842) (#10188)
• daefbdb Upgrade: eslint-scope and espree to 4.0.0 (refs #10458) (#10500)
• 077358b Docs: no-process-exit: recommend process.exitCode (#10478)
• f93d6ff Fix: do not fail on unknown operators from custom parsers (fixes #10475) (#10476)
• 05343fd Fix: add parens for yield statement (fixes #10432) (#10468)
• d477c5e Fix: check destructuring for "no-shadow-restricted-names" (fixes #10467) (#10470)
• 7a7580b Update: Add considerPropertyDescriptor option to func-name-matching (#9078)
• e0a0418 Fix: crash on optional catch binding (#10429)
• de4dba9 Docs: styling team members (#10460)
• 5e453a3 Docs: display team members in tables. (#10433)
• b1895eb Docs: Restore intentional spelling mistake (#10459)
• a9da57d 5.0.0-rc.0
• 3ac3df6 Build: changelog update for 5.0.0-rc.0
• abf400d Update: Add ignoreDestructing option to camelcase rule (fixes #9807) (#10373)
• e2b394d Upgrade: espree and eslint-scope to rc versions (#10457)
• a370da2 Chore: small opt to improve readability (#10241)
• 640bf07 Update: Fixes multiline no-warning-comments rule. (fixes #9884) (#10381)
• 831c39a Build: Adding rc release script to package.json (#10456)
• dc4075e Update: fix false negative in no-use-before-define (fixes #10227) (#10396)
• 3721841 Docs: Add new experimental syntax policy to README (fixes #9804) (#10408)
• d0aae3c Docs: Create docs landing page (#10453)
• fe8bec3 Fix: fix writing config file when `source` is `prompt` (#10422)

See the full diff

Package name: karma

The new version differs by 250 commits.

• 3653caf chore(release): 6.0.0 [skip ci]
• 04a811d fix(ci): abandon browserstack tests for Safari and IE (#3615)
• 4bf90f7 feat(client): update banner with connection, test status, ping times (#3611)
• 68c4a3a chore(test): run client tests without grunt wrapper (#3604)
• fec972f fix(middleware): catch errors when loading a module (#3605)
• 3fca456 fix(server): clean up close-server logic (#3607)
• 1c9c2de fix(test): mark all second connections reconnects (#3598)
• 87f7e5e chore(license): Update copyright notice to 2020 [ci skip] (#3568)
• e6b045f chore(deps): npm audit fix the package-lock.json (#3603)
• 3c649fa chore(build): remove obsolete Grunt tasks (#3602)
• 8997b74 fix(test): clear up clearContext (#3597)
• fe0e24a chore(build): unify client bundling scripts (#3600)
• 1a65bf1 feat(server): remove deprecated static methods (#3595)
• fb76ed6 chore(test): remove usage of deprecated buffer API (#3596)
• 35a5842 feat(server): print stack of unhandledrejections (#3593)
• 4a8178f fix(client): do not reset karmaNavigating in unload handler (#3591)
• 603bbc0 feat(cli): error out on unexpected options or parameters (#3589)
• 7a3bd55 feat: remove support for running dart code in the browser (#3592)
• 1b9e1de fix(deps): bump socket-io to v3 (#3586)
• 3fed0bc fix(cve): update yargs to 16.1.1 to fix cve-2020-7774 in y18n (#3578)
• f819fa8 fix(cve): update ua-parser-js to 0.7.23 to fix CVE-2020-7793 (#3584)
• 05dc288 fix(context): do not error when karma is navigating (#3565)
• e5086fc docs: clarify `browser_complete` vs `run_complete`
• ead31cd chore(release): 5.2.3 [skip ci]

See the full diff

Package name: karma-mocha

The new version differs by 18 commits.

• 5828416 chore(release): 2.0.0 [skip ci]
• 4e35a55 chore(ci): semantic-release on success (Test case for retries in mocha ipfs/aegir#221)
• 00b24b6 chore(deps-dev): bump eslint from 2.13.1 to 4.18.2 (add lead maintainer ipfs/aegir#220)
• f7ec4e7 Merge pull request Add cobertura as a code coverage reporter ipfs/aegir#218 from karma-runner/semanitic-release
• 5a5b6d5 feat(ci): enable semanitic-release
• 36404cf Merge pull request feat: Allow loading resources from hoisted dependencies ipfs/aegir#217 from franktopel/minimist-update
• bab0416 updated minimum version of minimist dependency to ^1.2.3 instead of 1.2.0
• 3f9e4b7 Revert "updated minimum version of minimist dependency to ^1.2.3 instead of 1.2.0"
• a9bfdf9 updated minimum version of minimist dependency to ^1.2.3 instead of 1.2.0
• 3dd7a56 Merge pull request It's way too big! (Working on making aegir smaller) ipfs/aegir#215 from mbaumgartl/update-node-versions
• 844939c Merge pull request WIP: Flow specific changes ipfs/aegir#213 from mbaumgartl/fix-travis-build
• fd64f5b Update Node.js versions
• 6eb28de Fix Travis builds
• c8feade Merge pull request Make dist output usable directly by webpack ipfs/aegir#210 from elpddev/chore/align-node-support-same-as-karma
• ea076c0 test(mock-fs): update mock-fs version
• 2fb6c93 ci(node versions): change running node verison the same as karma package
• 6c63662 Merge pull request readme - typo fix ipfs/aegir#122 from maksimr/karma-mocha-109
• e847121 feat: Expose 'pending' status

See the full diff

Package name: mocha

The new version differs by 250 commits.

• eb781e2 Release v6.2.3
• 10dbe94 update CHANGELOG for v6.2.3 [ci skip]
• 848d6fb security: update mkdirp, yargs, yargs-parser
• 843a322 6.2.2
• aec8b02 update CHANGELOG for v6.2.2 [ci skip]
• 7a8b95a npm audit fixes
• cebddf2 Improve reporter documentation for mocha in browser. (#4026)
• 3f7b987 uncaughtException: report more than one exception per test (#4033)
• ee82d38 modify alt text of image from Backers to Sponsors inside Sponsors section in Readme (#4046)
• e9c036c special-case parsing of "require" in unparseNodeArgs(); closes #4035 (#4063)
• 954cf0b Fix HTMLCollection iteration to make unhide function work as expected (#4051)
• 816dc27 uncaughtException: fix double EVENT_RUN_END events (#4025)
• 9650d3f add OpenJS Foundation logo to website (#4008)
• f04b81d Adopt the OpenJSF Code of Conduct (#3971)
• aca8895 Add link checking to docs build step (#3972)
• ef6c820 Release v6.2.1
• 9524978 updated CHANGELOG for v6.2.1 [ci skip]
• dfdb8b3 Update yargs to v13.3.0 (#3986)
• 18ad1c1 treat '--require esm' as Node option (#3983)
• fcffd5a Update yargs-unparser to v1.6.0 (#3984)
• ad4860e Remove extraGlobals() (#3970)
• b269ad0 Clarify effect of .skip() (#3947)
• 1e6cf3b Add Matomo to website (#3765)
• 91b3a54 fix style on mochajs.org (#3886)

See the full diff

Package name: mocha-jenkins-reporter

The new version differs by 13 commits.

• c4ad366 Update version number to 0.4.3
• b12abe1 also update mocha
• 16c2ba3 update mkdirp to fix security issue
• 93e5b23 [misc] fix the dependency relation with mocha
• d313c64 Update version number to 0.4.2.
• cb036cc Upgrade eslint to avoid a vulnerability warning.
• da16815 Upgrade diff to the latest version, should be compatible.
• 70a7625 Remove invalid characters from failure message.
• 2747938 Update version number to 0.4.1.
• 939f2af Better support skipped cypress.io test cases
• 38472fb Update version number to 0.4.0.
• f04d816 Merge pull request aegir 9.2.0 is failing in a weird way ipfs/aegir#79 from mrbar42/patch-1
• e95468c update mocha due to vulnerability

See the full diff

Package name: nyc

The new version differs by 94 commits.

• e21721a chore(release): 14.0.0
• 8cf8a89 docs: update issue template [skip ci] (fix: remove no-bundle from test build and fix flag ipfs/aegir#1008)
• d7a9d6a chore: Update package-lock.json
• 189bae8 chore: Update dependencies for 14.0.0-rc.1
• 2eb13c6 feat: instrument `--complete-copy` implementation (aegir check-project updates README.md with incorrect repo for issues link ipfs/aegir#1056)
• c88a852 docs: `nyc instrument` and `--exclude-node-modules` (deps: bump @types/node from 16.11.47 to 18.7.1 ipfs/aegir#1039)
• c213469 feat: always build the processinfo temp dir (deps: bump eslint-config-ipfs from 2.2.1 to 3.1.0 ipfs/aegir#1061)
• e597c46 feat: Add support for --exclude-node-modules to subcommands. (sync: update CI config files ipfs/aegir#1053)
• 8dcf180 feat: add processinfo index, add externalId (fix: check-project uses correct projectDir ipfs/aegir#1055)
• 32f75b0 fix: set processinfo pid/ppid to actual numbers (deps: bump @types/node from 16.11.56 to 18.7.13 ipfs/aegir#1057)
• 16d4315 chore: Stop excluding `bin` from coverage results. (deps: bump @types/node from 16.11.56 to 18.7.14 ipfs/aegir#1060)
• b909575 fix: Use a single instance of nyc for all actions of main command. (Integrate c8 for code coverage ipfs/aegir#1059)
• 997ed29 chore: Remove arrify dependency. (deps(dev): bump electron from 19.0.14 to 20.1.0 ipfs/aegir#1058)
• 68d6333 docs: move setup docs out of the readme [skip ci] (deps: bump @types/node from 16.11.52 to 18.7.9 ipfs/aegir#1052)
• 8da097e feat: add `include` and `exclude` options to instrument command (fix: update typescript, esbuild, tempy ipfs/aegir#1007)
• 31817de chore: Update dependencies (deps(dev): bump electron from 19.0.13 to 20.0.3 ipfs/aegir#1050)
• 18e04ba fix: make --all work for transpiled code (deps: bump esbuild from 0.14.54 to 0.15.5 ipfs/aegir#1047)
• b7e16cd feat: Support turning off node_modules default exclude via flag (chore(deps-dev): bump electron from 13.6.2 to 16.0.1 ipfs/aegir#912)
• 3eb0e37 docs: A bunch of docs fix-ups (deps: bump @electron/get from 1.14.1 to 2.0.0 ipfs/aegir#1038)
• 5c1eb38 test(instrument): should return unmodified source if no transform found (feat: tell lerna to use npm workspaces ipfs/aegir#1036)
• 1f6c3d4 docs: project root directory and `--cwd` doc (deps(dev): bump electron from 19.0.11 to 20.0.1 ipfs/aegir#1032)
• 051d95a fix: Add `cwd` option to instrument command (chore(deps): bump @types/node from 16.11.45 to 18.6.1 ipfs/aegir#1024)
• 91e02c6 chore: A few code cleanups (deps: bump @types/node from 16.11.47 to 18.6.4 ipfs/aegir#1033)
• 2867538 feat: Rename `plugins` option to `parser-plugins`. (fix: update sibling dep update message ipfs/aegir#1031)

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 213226e 4.0.0
• fde0183 Merge pull request #6081 from webpack/formating/prettier
• b6396e7 update stats
• f32bd41 fix linting
• 5238159 run prettier on existing code
• 518d1e0 replace js-beautify with prettier
• 4c25bfb 4.0.0-beta.3
• dd93716 Merge pull request #6296 from shellscape/fix/hmr-before-node-stuff
• 7a07901 Merge pull request #6563 from webpack/performance/assign-depth
• c7eb895 Merge pull request #6452 from webpack/update_acorn
• 9179980 Merge pull request #6551 from nveenjain/fix/templatemd
• e52f323 optimize performance of assignDepth
• 6bf5df5 Fixed template.md
• 90ab23a Merge branch 'master' into fix/hmr-before-node-stuff
• b0949cb add integration test for spread operator
• 39438c7 unittest now also walks the ast
• 15ab027 Merge pull request #6536 from jevan0307/sideEffects-selectors
• 1611ce1 Merge pull request #6561 from joshunger/patch-1
• 6e175bc Merge pull request #6549 from webpack/md4_hash
• 0637531 Add a hyperlink to create a new issue
• 0e1f9c6 Merge pull request #6554 from webpack/deps/end-of-beta
• 72477f4 upgrade versions to stable versions
• ed30285 Merge pull request #6546 from webpack/bot/review-permission
• 40ee8c7 Use MD4 for hashing

See the full diff

Package name: yargs

The new version differs by 84 commits.

• 706fc7a chore(release): 13.1.0
• 95700d6 test: add tests for alias behavior, based on conversations today (deps: bump @types/node from 18.16.16 to 20.2.5 ipfs/aegir#1291)
• f45a817 chore: slight refactor of approach being used, add support for per-command
• 5be206a feat: add applyBeforeValidation, for applying sync middleware before validation
• cc8af76 chore(release): 13.0.0
• e9dc3aa feat: options/positionals with leading '+' and '0' no longer parse as numbers (deps: bump @types/node from 18.16.15 to 20.2.4 ipfs/aegir#1286)
• ef16792 chore: drop Node 6 from testing matrix (fix(tsconfig): replace deprecated importsNotUsedAsValues with verbatimModuleSyntax ipfs/aegir#1287)
• f25de4f chore: update dependencies (deps: bump eslint-plugin-jsdoc from 43.2.0 to 44.2.5 ipfs/aegir#1284)
• 6916ce9 feat: adds config option for sorting command output (deps: bump @semantic-release/npm from 9.0.2 to 10.0.3 ipfs/aegir#1256)
• 7b200d2 chore: increase test timeout for windows
• 64af518 fix: middleware added multiple times due to reference bug (deps: bump @types/node from 18.16.14 to 20.2.3 ipfs/aegir#1282)
• 61f1b25 doc: update docs to reflect new parserConfiguration method (deps: bump @types/node from 18.16.12 to 20.2.0 ipfs/aegir#1280)
• 3c6869a feat: Add `.parserConfiguration()` method, deprecating package.json config (deps: bump @types/node from 18.16.6 to 20.1.1 ipfs/aegir#1262)
• da75ea2 fix: better bash path completion (deps: bump playwright-test from 8.4.0 to 9.1.0 ipfs/aegir#1272)
• e0c62c8 doc: edit help example to align with actual output (deps: bump @types/node from 18.16.9 to 20.1.4 ipfs/aegir#1271)
• bc0ee40 chore: address @ aorinevo's code review so that we can land
• f3a4e4f feat: support promises in middleware
• 64a0d7e docs: Testing command modules ('yarn install' does not install all dependencies ipfs/aegir#1267)
• 0510fe6 fix(validation): Use the error as a message when none exists otherwise (deps: bump eslint-plugin-jsdoc from 43.2.0 to 44.2.2 ipfs/aegir#1268)
• 27bf739 fix(deps): Update os-locale to avoid security vulnerability (deps: bump eslint-plugin-jsdoc from 43.2.0 to 44.2.3 ipfs/aegir#1270)
• 54e165d docs(advanced): document non-singleton use, .exit() and parsed (deps: bump playwright-test from 8.4.0 to 9.0.0 ipfs/aegir#1251)
• 8789bf4 chore(release): 12.0.5
• dc8d63f chore: explicit update to yargs-parser
• eacc035 fix: allows camel-case, variadic arguments, and strict mode to be combined (deps: bump eslint-plugin-jsdoc from 39.9.1 to 43.1.1 ipfs/aegir#1247)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic