[Snyk] Fix for 28 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1085627	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1243891	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-JSZIP-1251497	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	486/1000 Why? Mature exploit, Has a fix available, CVSS 2	Prototype Pollution SNYK-JS-MERGE-72553	No	Mature
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Server-side Request Forgery (SSRF) SNYK-JS-NETMASK-1089716	No	Proof of Concept
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary File Overwrite SNYK-JS-NPM-537603	Yes	Proof of Concept
	451/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 2.6	Unauthorized File Access SNYK-JS-NPM-537604	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary File Write SNYK-JS-NPM-537606	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Insertion of Sensitive Information into Log File SNYK-JS-NPM-575435	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NPMUSERVALIDATE-1019352	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	696/1000 Why? Recently disclosed, Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	696/1000 Why? Recently disclosed, Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	481/1000 Why? Recently disclosed, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	434/1000 Why? Has a fix available, CVSS 4.4	Time of Check Time of Use (TOCTOU) npm:chownr:20180731	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Access Restriction Bypass npm:npm:20180222	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: isomorphic-fetch

The new version differs by 12 commits.

• fc5e0d0 3.0.0
• 496fa43 Add version that was previously uncomitted to the package.json due to the previous release process
• 9f5a8b6 Add a list of alternatives
• 49280e6 Resolve minor security issue
• 0f5edd0 Explain why Isomorphic Fetch is needed in docs (Update dependencies. alanshaw/david-www#135)
• e32b006 Fix travis (Wrong security information alanshaw/david-www#190)
• db0aa8c Update to latest version
• 8bf02c4 Bump node-fetch from 1.7.3 to 2.6.1 (List repos in organization profile page alanshaw/david-www#189)
• 89c7e70 Merge pull request Updates alanshaw/david-www#93 from paulmelnikow/fetch_ponyfill
• 25e3cab Add link to fetch-ponyfill
• 8d33aba Merge pull request Minor improvements (2) alanshaw/david-www#90 from josiah0/update-lintspaces-cli
• c22fcda Update lintspaces-cli

See the full diff

Package name: merge

The new version differs by 29 commits.

• 56ca75b build: v2.1.1
• 7b0ddc2 fix: prototype pollution
• 8686d85 build: bump version
• 80151be build
• 0acaaf3 build: update dev dependencies
• f571887 Merge pull request Allow popular module pack graph to spill into right hand column on homepage alanshaw/david-www#38 from 418sec/master
• 869927f Merge pull request [Snyk] Fix for 21 vulnerabilities #1 from alromh87/master
• c2f8454 Fix Prototype Pollution
• bf8b1ff build: include typings
• ece8885 Merge pull request [Snyk] Security upgrade uglify-js from 3.3.12 to 3.14.3 #32 from yeikos/develop
• 43ffa43 build: include only needed files
• 7bf0fc8 fix: export default function (typings)
• 159e724 build: bump version
• 21f4105 fix: default typings
• 36d4b9c build: new npm scripts
• eabfd6f build: CommonJS support
• bf85170 test: add merge script
• 75ba781 build: add editor config
• 2d2b54a build: update ignored files
• b36036a docs: remove license copyright
• 1385593 build: update main script and description
• 2b22e6b docs: update readme
• 7cc6574 build: package-lock.json
• 29e46a8 build: ts and webpack config

See the full diff

Package name: meta-marked

The new version differs by 5 commits.

• d5de553 Bump minor versions of dependencies and bump version
• 1cc2163 Merge pull request [Snyk] Security upgrade node-sass from 4.13.1 to 6.0.1 #19 from j201/dependabot/npm_and_yarn/minimist-1.2.5
• 6448630 Bump minimist from 1.2.0 to 1.2.5
• 44c5db0 Merge pull request [Snyk] Security upgrade cssnano from 3.10.0 to 4.0.0 #17 from garyjzhao/gz/update-dependencies
• 0c73f6a updated dependencies to fix vulnerabilities

See the full diff

Package name: mkdirp

The new version differs by 4 commits.

• b2e7ba0 0.5.2
• c5b97d1 bump minimist to 1.2 to fix security issue
• f2003bb test: add v4 and v5 to travis
• b8629ff tools: update tap + mock-fs. Fix broken test

See the full diff

Package name: node-sass

The new version differs by 64 commits.

• c167004 6.0.1
• 911d4db remove mkdirp dep (#3108)
• 30a52f7 build(deps): bump meow from 3.7.0 to 9.0.0
• 7e08463 build(deps-dev): bump mocha from 8.4.0 to 9.0.1
• cfcbb2c chore: Use default Apline version from docker-node (#3121)
• 886319b chore: Drop Node 10 support
• c908f4f fix: Bump OSX minimum to 10.11
• 8ab02da fix: Remove old compiler gyp settings
• 3d7b9d0 chore: Add Node 16 support
• 4115e9d build(deps): bump actions/setup-node from v2.1.4 to v2.1.5
• 06f3ab4 Update TROUBLESHOOTING.md
• c1cb367 build(deps): bump actions/setup-node from v2.1.3 to v2.1.4
• 769f3a6 build(deps): bump actions/setup-node from v2.1.2 to v2.1.3
• a2a3a78 chore: Bump dependabot limit
• 7105b0a 5.0.0 (#3015)
• 0648b5a chore: Add Node 15 support (#2983)
• e2391c2 Add a deprecation message to the readme (#3011)
• 6a33e53 chore: Don't upload artifacts on PRs
• d763506 chore: Only run coverage on main repo
• d4ebe72 build(deps): update actions/setup-node requirement to v2.1.2
• 2bebe05 build(deps-dev): bump rimraf from 2.7.1 to 3.0.2
• f877689 chore: Don't double build DependaBot PRs
• b48fac4 chore: Add weekly DependaBot updates
• 91c40a0 Remove deprecated process.sass API

See the full diff

Package name: npm

The new version differs by 250 commits.

• 66092d5 6.14.6
• 46e91d9 update AUTHORS
• 66aab41 docs: changelog for 6.14.6
• 94eca63 npm-registry-fetch@4.0.5
• a9857b8 chore: remove auth info from logs
• 479e45c style: fix lint error with no trailing comma
• 1aec4cb test: add test for `npm doctor` that ping registry returns error
• b7ad775 fix: wrong `npm doctor` command result
• 9a2e2e7 docs: Fix typo
• c49b6ae spdx-license-ids@3.0.5
• 3dd429e docs: Add note about dropped `*` filenames
• 0ca3509 Update npm-link.md
• 2e05298 chore(docs): fixed links to cli commands
• abdf528 6.14.5
• 074f9a5 update AUTHORS
• 1238ee0 chore: remove slack notification
• 19a0230 docs: updated node-gyp links
• 36c878d chore: remove pyc files from tarball
• 0f219cc chore: reenable windows ci
• 725bef8 docs: changelog for 6.14.5
• e6d2083 nopt@4.0.3
• 8228d1f mkdirp@0.5.5
• 07a4d88 graceful-fs@4.2.4
• 5587ac0 npm-registry-fetch@4.0.4

See the full diff

Package name: prop-types

The new version differs by 23 commits.

• fa6fbb7 15.6.2
• 5115f5c Merge pull request Update libs alanshaw/david-www#180 from jaller94/master
• 2ac742c Merge pull request New apple-touch-icon.png and logo images. alanshaw/david-www#171 from barrymichaeldoyle/master
• a7a5a64 Merge pull request The API does not support CORS alanshaw/david-www#194 from facebook/no-fbjs
• d6c9c5c Preserve "Invariant Violation" name
• 07d1b47 Remove fbjs dependency
• 3c99d57 Remove trailing spaces
• a36cda8 Move explanation of `isRequired` and show it in `PropTypes.shape`
• ba3da12 Show that shapes can have required properties
• 2bde8eb Add example for `PropTypes.exact`
• d65f80e Updated vars to consts and lets in PropTypesProductionStandalone-test.js
• c10c93f Updated vars to consts and lets in PropTypesDevelopmentStandalone-test.js
• 8e2b34e Updated vars to consts and lets in PropTypesDevelopmentReact15.js
• c5527c8 Updated vars with consts and lets in PropTypesProductionReact15-test.js
• 7cc8c81 Add 15.6.1 to CHANGELOG
• 5df7296 15.6.1
• b7d03ce Point readme to correct docs for production builds (Watching dependencies alanshaw/david-www#153)
• a94243f Update the repository location (devDependency checks down? alanshaw/david-www#148)
• 77c62a7 Fix failing tests (Properly disable warnings in grunt-contrib-uglify. alanshaw/david-www#129)
• 644844c Merge pull request DevDependencies page keeps "loading" and never updates alanshaw/david-www#140 from flarnie/master
• 0b5db12 Add `CODE_OF_CONDUCT`
• a6900f0 Add CONTRIBUTING.md
• 492e230 Update README.md with improved importing for CDNs (Multiple package.json(s) alanshaw/david-www#104)

See the full diff

Package name: snyk

The new version differs by 250 commits.

• 8387aed Merge pull request #2111 from snyk/fix/update-jszip
• e686299 fix: update plugins package versions
• 7f0b32e Merge pull request #2108 from snyk/smoke/binary-cdn
• e974b9d test: use binary from cdn for smoke tests
• 64e3fe8 Merge pull request #2107 from snyk/refactor/analytics-tests
• 0f2a7e3 refactor: call anaytics module the right way
• 0b833f6 refactor: use await syntax rather than callbacks
• fce83d5 Merge pull request #2096 from snyk/feat/iac-tracking
• f7f2961 feat: track IaC local execution tests [CC-972]
• 9e7f79a Merge pull request #2104 from snyk/feat/centralize-colors
• 3292ffb feat: Centralize icons and err messages by theme
• e3c3ac0 feat: central colors theme
• 2aecd40 Merge pull request #2074 from snyk/docs/update-protect-readme
• 0203c6c Merge pull request #2100 from snyk/fix/propagate-error-message
• 7416bc9 docs: update protect readme
• 42288e0 fix: propagate userMessage to 404 errors
• 77336a0 Merge pull request #2099 from snyk/test/migrate-trust-policies-jest
• e2106f1 test: migrate trust-policies to jest
• b227f78 Merge pull request #2095 from snyk/protect/smoke-tests
• 20b05d0 Merge pull request #2087 from snyk/chore/async-test-with-polling
• d7f23e0 Merge pull request #2098 from snyk/fix/bump-docker-plugin
• cb2ecf1 fix: bump docker plugin version with fixes
• 697f81f chore(protect): fix production test caching
• d21cff7 chore: init support async test with polling

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic