[Snyk] Fix for 32 vulnerabilities

[shabith]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	661/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.8	Arbitrary Code Injection SNYK-JS-MORGAN-72579	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-535498	Yes	Proof of Concept
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-535500	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Out-of-bounds Read SNYK-JS-NODESASS-540958	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	Uncontrolled Recursion SNYK-JS-NODESASS-540964	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-NODESASS-540978	Yes	Proof of Concept
	536/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.3	NULL Pointer Dereference SNYK-JS-NODESASS-540992	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-Bounds SNYK-JS-NODESASS-540998	Yes	Proof of Concept
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-NODESASS-541000	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-541002	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	816/1000 Why? Mature exploit, Has a fix available, CVSS 8.6	Uninitialized Memory Exposure npm:base64-url:20180512	Yes	Mature
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gulp

The new version differs by 250 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-autoprefixer

The new version differs by 35 commits.

• d008588 4.1.0
• 27816c3 Meta tweaks
• 94f3447 Drop dependency on deprecated gulp-util (#94)
• 60aead3 Test against Node.js v8 (#90)
• 5188604 4.0.0
• 04814b7 Rewrite tests to use AVA
• 7df69ba ES2015ify, bump postcss, require Node.js 4
• 0a92d79 Update to Autoprefixer 7 (#80)
• cd022c8 Fix tests
• 90f8f7c Improve the tip (#75)
• a276609 3.1.1
• f6a972d trying out something new
• 324ff05 minor tweaks
• fb035b5 add tip about PostCSS plugins
• 8cc62f4 3.1.0
• 5923c61 bump deps
• 249cec5 3.0.2
• 24ed6a4 minor tweaks
• f1ea075 travis - test on Node.js 4
• 7d4f8b8 3.0.1
• 88757c5 remove Node.js 0.10 support
• 4b7c43b 3.0.0
• 7bda96e add XO
• a5f34c4 autoprefixer@6.0.0

See the full diff

Package name: gulp-concat

The new version differs by 37 commits.

• c179a8c 2.6.1
• 9db55f5 dep updates
• 5ac5f15 Merge pull request #119 from umaar/patch-1
• cbb499d Update 'repository' of package.json to point to point to contra
• dbd933d Merge pull request #118 from glcheetham/master
• e1ac83c Wrapped file paths in path.normalize in test/main.js to address failing tests on windows (issue #117)
• 45a3b11 Merge pull request #111 from T1st3/patch-1
• 18457f8 chore: update travis matrix
• 1b4afe3 Merge pull request #108 from sturobson/master
• 02ea51c adds short gulp installation details
• 0f14107 Merge pull request #106 from thewarpaint/fix-travis-status-image
• 0fa2455 Fix Travis CI status image URL
• 48e757a 2.6.0
• 59bcac3 Merge pull request #98 from erikkemperman/newpull
• cbaf048 Clone attributes from most recently modified source rather than the first
• 7fc4e13 Merge pull request #95 from pgilad/patch-1
• e5adf7d update license attribute
• 21de607 2.5.2
• 1ce5c77 Merge pull request #87 from kahwee/patch-1
• 50f2c01 Remove engineStrict
• 84d82e6 2.5.1
• 7937e92 Merge pull request #86 from dapetcu21/master
• 2af113e Test for #85
• fe06263 Fixed #85

See the full diff

Package name: gulp-connect

The new version differs by 94 commits.

• aa10ee3 5.6.1
• a80e3e5 Merge pull request #257 from rejas/update_dependencies
• c6034b8 Cleanup test file
• edcfba8 Update ansi-colors package
• 429068d Only test supported node versions
• 2055d29 Undo typescript update to avoid breaking tests
• 4e3c831 Update all dependencies
• 7192d9e bump 5.5.0
• 13db10c Merge pull request #250 from nickpape-msft/nickpape/lazy-load-http2
• 0c7270c Only load http2 if preferHttp1 is false
• d103fd6 5.4.0
• 8fa06cf add package-lock.json
• 7265554 Merge pull request #247 from nickpape-msft/master
• df25440 bump 5.3.0
• 8869a6d Add a config option for preferring HTTP2
• 0cf6a67 Merge pull request #245 from zbennett10/master
• 6dfe3ca Update README.md
• 3020dc3 Add files via upload
• f9eca17 Upgrade connect package and add needed dependencies for upgrade
• 58abff2 5.2.0 Fixes #241
• 336f5fa Merge pull request #243 from Kyrodan/patch-2
• 951ff57 Merge pull request #244 from Kyrodan/patch-3
• 535132e Merge pull request #242 from Kyrodan/patch-1
• 9b2591b Fixes #236 https does not work with node 8.8

See the full diff

Package name: gulp-rev

The new version differs by 62 commits.

• bb3a3fd 8.1.1
• e46406b Replace gulp-util with smaller modules (#237)
• 6c9bcac Remove Code Sponsor
• fe0c551 8.1.0
• 47ffbe0 Bump `rev-path`
• fc74b5b Try out Code Sponsor
• cdf63fa Pass resolved, absolute paths to relPath() (#220) (#222)
• 567c340 Update readme.md (#224)
• 898dffc 8.0.0
• d290ff8 Meta tweaks
• a89f0df Make tests independent of platform specific path separator (#219) (#221)
• 71a0377 Add a note about non-deterministic streams order (#213)
• f5ee9ee Meta tweaks
• 731be70 Move list of maintainers into the readme for visibility
• 192a075 Meta tweaks
• 7acdb13 Move tests from Mocha to AVA (#212)
• 82c185c More realistic example (#203)
• 02fbeba add XO badge
• 8686e62 [breaking] ES2015ify and require Node.js 4
• ed53cef meta tweaks
• 17d6bb4 docs: change number of approaches (#196)
• e895123 7.1.2
• c9ba5b2 7.1.1
• f16a865 trying out something new

See the full diff

Package name: gulp-sass

The new version differs by 135 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 (#802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue (#776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times (#763)
• 7ab018e Migrate to the lodash package
• fa670c6 4.0.2
• fefa00e Revert package.json version bump
• 98254d2 Fix README typos
• 8a14419 Continue loading Node Sass by default
• 938afbe Add a note about synchronous versus asynchronous speed
• 7cc2db1 Make this package implementation-agnostic
• 643f73b Add documentation for synchronous code options
• 0b3c7e7 4.0.1
• daca90d Merge pull request #681 from DKvistgaard/master
• 71471c2 Declaring logError as function instead of arrow function.
• 450a7b8 4.0.0
• e9b1fe8 Fix node versions in appveyor.yml
• 44be409 Merge pull request #667 from dlmanning/next
• 7656eff Adopt airbnb eslint preset
• 1293169 Bump autoprefixer@^8.1.0, gulp-postcss@^7.0.1
• 9fa817b Bump gulp-sourcemaps@^2.6.4

See the full diff

Package name: gulp-template

The new version differs by 15 commits.

• 55805ee 5.0.0
• 229b21c Require Node.js 4
• 4939d79 Drop dependency on deprecated `gulp-util` ([Snyk] Security upgrade gulp-sass from 2.0.0 to 5.0.0 #42)
• e032d9e 4.0.0
• a6b44a4 bump lodash
• 8675850 Close [Snyk] Fix for 1 vulnerabilities #29 PR: chore: update travis matrix.
• cec7e12 3.1.0
• f4f16aa bump deps
• ca33901 3.0.0
• f7f1c9e upgrade to lodash 3.0.0
• 4adfc41 2.1.1
• 0584f8c Close [Snyk] Fix for 1 vulnerabilities #24 PR: Fix gulp-data support.
• ead55ed Update .travis.yml
• 899d903 Merge pull request [Snyk] Fix for 2 vulnerable dependencies #23 from Turbo87/master
• e753d2b Merge common boilerplate code

See the full diff

Package name: gulp-uglify

The new version differs by 35 commits.

• e4f9045 2.0.0
• 566ec6a refactor(tests): write tests with mocha
• 5651111 refactor(tests): replace `cmem` with `testdouble`
• b82387b refactor(tests): compose streams with `mississippi` utilities
• 1232c3c fix(errors): emit errors of type `GulpUglifyError`
• 5632cee fix(minifer): use `gulplog` for the warning
• 8160697 feat(minifier): use UglifyJS 2.7.0's input map support
• 3ec8fc3 chore(package): update uglify-js to version 2.7.0
• a9c55b9 doc(README): spelling mistake in example
• 80da765 chore(release): 1.5.4
• 01fb8ca chore(package): update uglify-js to version 2.6.4
• 8aa877e chore(package): update uglify-js to version 2.6.3
• 0027093 chore(lint): resolve lint failures
• fe2158a chore(package): update xo to version 0.16.0
• a03b663 docs(README): document how to minify (some) ES6
• 1eb00a8 chore(xo): resolve lint failures
• a4376ad chore(package): update xo to version 0.15.0
• c9d11a1 docs(pump): correct error handler example
• b446cf7 docs(README): clean up badges
• c3f6005 docs(README): suggest using `pump` to capture errors
• eb9893e chore(line): resolve xo@0.14.0 lint failures
• 9d59beb chore(package): update xo to version 0.14.0
• aba369b docs(README): fix-up typo
• 5a70cd0 docs(README): document "minifier" entry point

See the full diff

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Arbitrary Code Injection
🦉 More lessons are available in Snyk Learn