[Snyk] Fix for 15 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Regular Expression Denial of Service (ReDoS) npm:diff:20180305	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 40 commits.

• b2659a7 1.18.2
• 6339bf7 perf: remove argument reassignment
• d5f9a4a deps: debug@2.6.9
• d041563 1.18.1
• 9efa9ab deps: content-type@~1.0.4
• f1ef6cc deps: qs@6.5.1
• e438db5 deps: raw-body@2.3.2
• 15c3585 deps: iconv-lite@0.4.19
• adfa01c 1.18.0
• 0632e2f Include the "type" property on all generated errors
• b8f97cd Include the "body" property on verify errors
• c659e8a tests: add test for err.body on json parse error
• 4e15325 tests: reorganize json error tests
• 5bd7ed5 tests: reorganize json strict option tests
• 3cb380b tests: store server on mocha context instead of variable shadowing
• 29c8cd0 docs: document too many parameters error
• 7b9cb14 Use http-errors to set status code on errors
• 29a27f1 docs: fix typo in jsdoc comment
• 448dc57 Fix JSON strict violation error to match native parse error
• 87df7e6 tests: add leading whitespace strict json test
• 1841248 deps: raw-body@2.3.1
• e666dbe deps: http-errors@~1.6.2
• c2a110a deps: bytes@3.0.0
• a1a2e31 build: Node.js@8.4

See the full diff

Package name: eslint

The new version differs by 250 commits.

• 36ced0a 5.0.0
• 5fd5632 Build: changelog update for 5.0.0
• 0feedfd New: Added max-lines-per-function rule (fixes #9842) (#10188)
• daefbdb Upgrade: eslint-scope and espree to 4.0.0 (refs #10458) (#10500)
• 077358b Docs: no-process-exit: recommend process.exitCode (#10478)
• f93d6ff Fix: do not fail on unknown operators from custom parsers (fixes #10475) (#10476)
• 05343fd Fix: add parens for yield statement (fixes #10432) (#10468)
• d477c5e Fix: check destructuring for "no-shadow-restricted-names" (fixes #10467) (#10470)
• 7a7580b Update: Add considerPropertyDescriptor option to func-name-matching (#9078)
• e0a0418 Fix: crash on optional catch binding (#10429)
• de4dba9 Docs: styling team members (#10460)
• 5e453a3 Docs: display team members in tables. (#10433)
• b1895eb Docs: Restore intentional spelling mistake (#10459)
• a9da57d 5.0.0-rc.0
• 3ac3df6 Build: changelog update for 5.0.0-rc.0
• abf400d Update: Add ignoreDestructing option to camelcase rule (fixes #9807) (#10373)
• e2b394d Upgrade: espree and eslint-scope to rc versions (#10457)
• a370da2 Chore: small opt to improve readability (#10241)
• 640bf07 Update: Fixes multiline no-warning-comments rule. (fixes #9884) (#10381)
• 831c39a Build: Adding rc release script to package.json (#10456)
• dc4075e Update: fix false negative in no-use-before-define (fixes #10227) (#10396)
• 3721841 Docs: Add new experimental syntax policy to README (fixes #9804) (#10408)
• d0aae3c Docs: Create docs landing page (#10453)
• fe8bec3 Fix: fix writing config file when `source` is `prompt` (#10422)

See the full diff

Package name: express

The new version differs by 68 commits.

• f974d22 4.16.0
• 8d4ceb6 docs: add more information to installation
• c0136d8 Add express.json and express.urlencoded to parse bodies
• 86f5df0 deps: serve-static@1.13.0
• 4196458 deps: send@0.16.0
• ddeb713 tests: add maxAge option tests for res.sendFile
• 7154014 Add "escape json" setting for res.json and res.jsonp
• 628438d deps: update example dependencies
• a24fd0c Add options to res.download
• 95fb5cc perf: remove dead .charset set in res.jsonp
• 44591fe deps: vary@~1.1.2
• 2df1ad2 Improve error messages when non-function provided as middleware
• 12c3712 Use safe-buffer for improved Buffer API
• fa272ed docs: fix typo in jsdoc comment
• d9d09b8 perf: re-use options object when generating ETags
• 02a9d5f deps: proxy-addr@~2.0.2
• c2f4fb5 deps: finalhandler@1.1.0
• 673d51f deps: utils-merge@1.0.1
• 5cc761c deps: parseurl@~1.3.2
• ad7d96d deps: qs@6.5.1
• e62bb8b deps: etag@~1.8.1
• 70589c3 deps: content-type@~1.0.4
• 9a99c15 deps: accepts@~1.3.4
• 550043c deps: setprototypeof@1.1.0

See the full diff

Package name: mocha

The new version differs by 250 commits.

• eb781e2 Release v6.2.3
• 10dbe94 update CHANGELOG for v6.2.3 [ci skip]
• 848d6fb security: update mkdirp, yargs, yargs-parser
• 843a322 6.2.2
• aec8b02 update CHANGELOG for v6.2.2 [ci skip]
• 7a8b95a npm audit fixes
• cebddf2 Improve reporter documentation for mocha in browser. (#4026)
• 3f7b987 uncaughtException: report more than one exception per test (#4033)
• ee82d38 modify alt text of image from Backers to Sponsors inside Sponsors section in Readme (#4046)
• e9c036c special-case parsing of "require" in unparseNodeArgs(); closes #4035 (#4063)
• 954cf0b Fix HTMLCollection iteration to make unhide function work as expected (#4051)
• 816dc27 uncaughtException: fix double EVENT_RUN_END events (#4025)
• 9650d3f add OpenJS Foundation logo to website (#4008)
• f04b81d Adopt the OpenJSF Code of Conduct (#3971)
• aca8895 Add link checking to docs build step (#3972)
• ef6c820 Release v6.2.1
• 9524978 updated CHANGELOG for v6.2.1 [ci skip]
• dfdb8b3 Update yargs to v13.3.0 (#3986)
• 18ad1c1 treat '--require esm' as Node option (#3983)
• fcffd5a Update yargs-unparser to v1.6.0 (#3984)
• ad4860e Remove extraGlobals() (#3970)
• b269ad0 Clarify effect of .skip() (#3947)
• 1e6cf3b Add Matomo to website (#3765)
• 91b3a54 fix style on mochajs.org (#3886)

See the full diff

Package name: nyc

The new version differs by 160 commits.

• e21721a chore(release): 14.0.0
• 8cf8a89 docs: update issue template [skip ci] (#1008)
• d7a9d6a chore: Update package-lock.json
• 189bae8 chore: Update dependencies for 14.0.0-rc.1
• 2eb13c6 feat: instrument `--complete-copy` implementation (#1056)
• c88a852 docs: `nyc instrument` and `--exclude-node-modules` (#1039)
• c213469 feat: always build the processinfo temp dir (#1061)
• e597c46 feat: Add support for --exclude-node-modules to subcommands. (#1053)
• 8dcf180 feat: add processinfo index, add externalId (#1055)
• 32f75b0 fix: set processinfo pid/ppid to actual numbers (#1057)
• 16d4315 chore: Stop excluding `bin` from coverage results. (#1060)
• b909575 fix: Use a single instance of nyc for all actions of main command. (#1059)
• 997ed29 chore: Remove arrify dependency. (#1058)
• 68d6333 docs: move setup docs out of the readme [skip ci] (#1052)
• 8da097e feat: add `include` and `exclude` options to instrument command (#1007)
• 31817de chore: Update dependencies (#1050)
• 18e04ba fix: make --all work for transpiled code (#1047)
• b7e16cd feat: Support turning off node_modules default exclude via flag (#912)
• 3eb0e37 docs: A bunch of docs fix-ups (#1038)
• 5c1eb38 test(instrument): should return unmodified source if no transform found (#1036)
• 1f6c3d4 docs: project root directory and `--cwd` doc (#1032)
• 051d95a fix: Add `cwd` option to instrument command (#1024)
• 91e02c6 chore: A few code cleanups (#1033)
• 2867538 feat: Rename `plugins` option to `parser-plugins`. (#1031)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic