[Snyk] Fix for 28 vulnerabilities

[TheRealPiotrP]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	679/1000 Why? Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	No	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Insufficiently Protected Credentials SNYK-JS-TYPEDRESTCLIENT-5487993	No	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Input Validation SNYK-JS-XMLDOM-1534562	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Prototype Pollution SNYK-JS-XMLDOM-3042242	Yes	No Known Exploit
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-XMLDOM-3092935	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: codecov

The new version differs by 25 commits.

• e427d90 feat(services): add azure pipelines (C# support not working after C# extension installed dotnet/vscode-csharp#114)
• 023d204 Use small HTTP dependency (Update launch.json 'program' description dotnet/vscode-csharp#110)
• 500f308 Update Readme
• 0ce3c76 v3.1.0
• 7c1f16e fix: support `.codecov.yml`/`codecov.yml` files for token (After update the Unity to Latest version,I cannot use the IntelliSense. dotnet/vscode-csharp#108)
• 1fff4dc Allow custom `yaml` file. (Don't blindly construct signature help if OmniSharp returns null dotnet/vscode-csharp#107)
• 77d7a5e Add ESLint (Code formatting does not obey editor.insertSpaces dotnet/vscode-csharp#93)
• 625807c Removing Makefile (Console.WriteLine snippet always prepends System dotnet/vscode-csharp#104)
• 94cd1c6 Change from istanbul to nyc (Improved generic method and parameters syntax highlighting dotnet/vscode-csharp#103)
• b0b580b Update README.md
• 08ca881 v3.0.4
• 012ef08 Update dependencies (Lots of code clean up dotnet/vscode-csharp#102)
• f954f91 Prettier (Open C# colorizing issues dotnet/vscode-csharp#101)
• 16efd18 Update README.md
• 49257a9 Update Readme
• 15cdae3 v3.0.3
• 39dc2d8 Support non-git/hg root dirs (Update MIEngine reference dotnet/vscode-csharp#75)
• a19efbe Updated readme
• 31926f7 v3.0.2
• 1114b03 Stop outputting upload-token in logs (C# Unity auto complete hints are wrong dotnet/vscode-csharp#97)
• e903e88 v3.0.1 (Error while Downloading and configuring the .NET Core Debugger dotnet/vscode-csharp#96)
• 75cc0dd package: unpin request so i stop getting these vulnerability reports (ignore dotnet/vscode-csharp#91)
• 4a7561e add -X s3 to disable uploading to s3 ([VSCodeEndGameTesting-Aditi][Command-Palette] Getting error when trying to run command for dnx. dotnet/vscode-csharp#84)
• 19facba Replace the `cd` command with the `pwd` option. ([VSCodeEndGameTesting-Aditi][Intellisense] Intellisense pop-up is not displaying at right position and options are misleading. dotnet/vscode-csharp#85)

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (C# 7.2 syntax still not working? dotnet/vscode-csharp#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (Support expanding large arrays >1000 in debug view dotnet/vscode-csharp#1859)
• 723cbc4 Docs: Fix syntax in recipe example (No IntelliSense & parameter hints for calls to local functions dotnet/vscode-csharp#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (Unable to breakpoint and debug cshtml dotnet/vscode-csharp#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (Errors showing, Intellisense, using resolving doesn't work. dotnet/vscode-csharp#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (Syntax highlighting lost after certain comments dotnet/vscode-csharp#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (Invalid project name (doubles at solution-file) for unity project dotnet/vscode-csharp#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (Provide IntelliSense in DEBUG CONSOLE dotnet/vscode-csharp#1609)

See the full diff

Package name: gulp-mocha

The new version differs by 7 commits.

• 983b0ac 5.0.0
• 7bc8d9c Add example of using the `exit` option (Fix typo in dotnet restore dotnet/vscode-csharp#185)
• 3f53145 Add example of using reporterOptions in readme.md (Debugger doesn't work, looking for nuget.config dotnet/vscode-csharp#179)
• 5045939 Improve usage example
• 64fef33 Bump Mocha to v4
• 06b96ba Meta tweaks
• ac3d7fc Drop dependency on deprecated `gulp-util` (Warning: could not load new.dll ... new.pdb is a Windows PDB dotnet/vscode-csharp#187)

See the full diff

Package name: gulp-tslint

The new version differs by 4 commits.

• c86c5ad Release 8.1.3
• e8c153d Update dependencies.
• 5d72ae5 Merge pull request Debugging on Windows fails with "Could not load host policy library" dotnet/vscode-csharp#143 from demurgos/issue-140
• 63be315 Drop dependency on deprecated gulp-util

See the full diff

Package name: mocha-typescript

The new version differs by 39 commits.

• 47f9a70 1.1.15
• 8594aa8 Merge pull request ignore dotnet/vscode-csharp#91 from pana-cc/[VSCodeEndGameTesting-Aditi][Command-Palette] Getting error when trying to run command for dnx. dotnet/vscode-csharp#84
• 7a4907c fix [VSCodeEndGameTesting-Aditi][Command-Palette] Getting error when trying to run command for dnx. dotnet/vscode-csharp#84 prevent suite inheritance
• e7dfbe6 Merge pull request Unable to target CoreCLR from Visual Studio Code dotnet/vscode-csharp#88 from pana-cc/Code reports errors in removed source files dotnet/vscode-csharp#87
• a57b974 Merge pull request [CSharp] Have "add using ..." on top in quick fix dialog  dotnet/vscode-csharp#86 from pana-cc/[ERROR] Error: Failed to start OmniSharp dotnet/vscode-csharp#83
• ddf3d7d fix Code reports errors in removed source files dotnet/vscode-csharp#87 update to latest versions of dependencies
• 2617864 fix [ERROR] Error: Failed to start OmniSharp dotnet/vscode-csharp#83 output of tsc has changed with 2.9.x
• 35febf6 Merge pull request Break points are not hit when running the app  dotnet/vscode-csharp#82 from pana-cc/params
• 1e497ee fix test expectations cleanup and provide new expectations for failing tests
• 2434121 add test suites for new @ params feature
• 7216781 Fix usage as custom ui
• d1a9397 fix stderr assertions
• aebc0ce expand test coverage to also include stderr of spawned processes
• 5165aeb Merge branch 'master' into params
• ee07a55 Merge pull request Error with dotnet restore Mac OS X, ASP.NET Core dotnet/vscode-csharp#81 from coldrye-collaboration/--configfile not recognized dotnet/vscode-csharp#80
• 7b3b23e enabling PackageTest again
• ff2ac44 Add tslint
• 19c092e fix --configfile not recognized dotnet/vscode-csharp#80 add missing augmentations to Test and Suite
• 25247f0 Fix @ types/mocha version
• b55dacf Name for parameters decorator
• 566f6cd add 'params' method for parametrizing tests
• 61835f2 Merge pull request Restore output should go to the output window instead of opening a terminial dotnet/vscode-csharp#79 from pana-cc/fix-isuite-types
• c3cb18f Deleted some times that conflict with @ mocha/types
• 2b4c015 Merge pull request debugger.md: link to Portable PDB wiki page dotnet/vscode-csharp#72 from coldrye-collaboration/Update readme.md dotnet/vscode-csharp#71

See the full diff

Package name: nyc

The new version differs by 52 commits.

• 4a6b327 chore(release): 13.0.1
• ae5318b chore: Update istanbul dependencies. (Debugger: takes a long time to start and populate the locals window for the first time dotnet/vscode-csharp#896)
• d0b76e2 fix: Enable es-modules by default. (Errors/Warnings failing again dotnet/vscode-csharp#889)
• 6b6cd5e fix: add flag to allow control of intrumenter esModules option, default to looser parsing (v1.5.0-beta4 -> v.1.5.0-beta5 dotnet/vscode-csharp#863)
• c325799 docs: reference babel 7 in all places (Support for msbuild only projects dotnet/vscode-csharp#881)
• 7483ed9 fix: use uuid/v4 to generate unique identifiers. (C# syntax error hints disappear after a few seconds dotnet/vscode-csharp#883)
• 8ab1ae3 chore: update dependencies (Reference link is inside the file explorer dotnet/vscode-csharp#872)
• 52b69ef fix: Update caching-transform options. (Reimplement debugger acquisition to use Package Manager dotnet/vscode-csharp#873)
• 624a723 chore: update dependencies (Delete OperatingSystem enum dotnet/vscode-csharp#866)
• a5818f5 chore(release): 13.0.0
• f0d98a5 docs: update README.md with babel configuration info (self signed certificate dotnet/vscode-csharp#860)
• 893345a feat: allow rows with 100% statement, branch, and function coverage to be skipped in text report (Debugger to support $ReturnValue dotnet/vscode-csharp#859)
• f09cf02 chore: update dependencies (Error and warnings gets overrided by dependencies projects dotnet/vscode-csharp#855)
• d0f654c fix: source was being instrumented twice, due to upstream fix in ista… (OmniSharp invalid CIL dotnet/vscode-csharp#853)
• adb310c chore(release): 12.0.2
• ddc9331 fix: stop bundling istanbul-lib-instrument due to npm issue on Node 6 (Inconsistent highlighting dotnet/vscode-csharp#854)
• b4c325b fix: don't bundle istanbul-lib-instrument due to Node 6 issues
• 9fc20e4 chore(release): 12.0.1
• 3e087d4 chore: upgrade to version of istanbul with optional catch binding (IntelliSense: Autocomplete to offer known types as VSPro dotnet/vscode-csharp#851)
• eaf3f70 chore(release): 12.0.0
• 19b7d21 chore: upgrade to newest version of istanbul codebase (GalliumOS Omnisharp.path error dotnet/vscode-csharp#848)
• 570a08a chore(release): 11.9.0
• 1329a3b feat: add option that allows instrument to exit on error (Update debugger packages for 10/28 dotnet/vscode-csharp#850)
• bc9ffe5 chore(release): 11.8.0

See the full diff

Package name: plist

The new version differs by 38 commits.

• 5e0d06e 3.0.4
• fa8e184 inline [email protected] to avoid false positive security message. Fixes Update launch.json 'program' description dotnet/vscode-csharp#110, Add support for C# 6 keywords dotnet/vscode-csharp#111
• a0bd0d0 3.0.3
• dfb43f4 Merge pull request Improve debugger install error messages dotnet/vscode-csharp#109 from minhnguyen0712/master
• 5af9758 ⬆️ Bump xmldom
• 5877ec7 remove flaky saucelabs testing status badge
• 276c657 3.0.2
• 9b6af11 revert mocha because newer versions don't run on node versions this old
• e828f84 update deps
• e7b0394 removing safari because I can't get it to run in sauce with zuul
• c33edbe try an older version of safari
• 1f13bd7 revert sauce connect
• 6fa1022 specify specific tunnel id for sauce
• ee3c545 revert zuul dependency to see if that fixes saucelabs build
• e538eb4 reduce travis testing matrix size
• eb28b45 adding sauceconnect to see if that solves the local tunnel problem
• 3a8004a update saucelabs credentials in travis file
• 56c5a74 travis: revert config
• eaf1ca7 move saucelabs credentials to travis env variables
• eaf1af8 update minor deps
• 3821f55 update travis config to fix all warnings
• 9ec848e update sauce labs integration using my account
• af45b08 give credit to sauce labs for providing free open source testing resources
• 1628c6e 3.0.1

See the full diff

Package name: remap-istanbul

The new version differs by 6 commits.

• 981dac8 Release 0.10.0
• a50dbf6 Drop dependency on deprecated `gulp-util` (dotnet crashes when debuging dotnet/vscode-csharp#158)
• 9ed0670 Removed typo (Missing auto indenting inside of switch blocks dotnet/vscode-csharp#156)
• 8342b28 Allow null file name (Don't search for OmniSharp launcher case-insensitively dotnet/vscode-csharp#153)
• 18ba8f6 Add warnMissingSourceMaps parameter (Fix launch on Windows with forward slashes in program (#143) dotnet/vscode-csharp#150)
• 50b3f4f checking if origFileName is defined before using it to build a file path (C# extension cannot start omnisharp on Linux due to wrong casing of 'omnisharp' executable dotnet/vscode-csharp#152)

See the full diff

Package name: vsce

The new version differs by 184 commits.

• 1ee7a2b 1.61.0
• fe3de2e cleanup
• 2cfb898 use basic handler
• 3502fba update deps to azure-devops-node-api
• 165f96d remove log
• af9ba1b 1.60.0
• 34381ff add noVerify
• 0c51764 fix launcher
• f4a3d0d fix tests
• b708803 fix travis
• 2c2d18d fix types
• 681efad cleanup, remove gulp
• a616aab 1.59.0
• 8477ee4 add flat.badgen.net
• 286a758 update badges
• 08f8f56 1.58.0
• 0bcfce9 Merge pull request VS Code doesn't create tasks/launch.json for projects published from VS Docker Tools dotnet/vscode-csharp#336 from Microsoft/joh/suggestbundle
• 7d6523d suggest bundling
• 61afd8f Recommend mocha test explorer
• 7fb8a16 Add test files to mocha explorer setting
• ccf030a 1.57.1
• 883921b Merge pull request Performance: Stop passing entire buffer to OmniSharp on every keystroke dotnet/vscode-csharp#309 from barretlee/master
• bd00be7 1.57.0
• 6c04670 Revert theme detection

See the full diff

Package name: vscode

The new version differs by 58 commits.

• 470c3da v1.1.31
• 64bcb82 Fix TypeError: Cannot read property 'ActiveSignature' of null  dotnet/vscode-csharp#149 (Don't search for OmniSharp launcher case-insensitively dotnet/vscode-csharp#153)
• 2936b5a NPM -> Yarn. Fix Fix launch on Windows with forward slashes in program (#143) dotnet/vscode-csharp#150 (C# extension cannot start omnisharp on Linux due to wrong casing of 'omnisharp' executable dotnet/vscode-csharp#152)
• 46972e7 Merge pull request Error: Canceled  dotnet/vscode-csharp#148 from Microsoft/download
• 07b7969 Update vscode-test deps
• 57bd2ac Update deps
• 7fe002b Update vscode-test deps
• 3d25f24 Update dependency on vscode-test
• 639fd57 Remove dependencies for downloading / unzipping
• e81d78a [email protected]
• 4f6e30d Support passing user-data-dir to tests ([OS X] Unable to debug sample HelloMvc app with latest dotnet CLI dotnet/vscode-csharp#144)
• ea86293 [email protected]
• aafb824 disable other extensions in testing (.NET Core attach debugger template defaults to "processname" and the flydown says use "pid"  dotnet/vscode-csharp#142)
• 5101059 bump to 1.1.28
• df6aedf More mocha options support (Initializing project system triggers incorrect restore prompt and reprocesses projects multiple times dotnet/vscode-csharp#141)
• 5815a93 bump to 1.1.27
• e05bf6a share request options
• 9610330 Add locale argument for running with VS Code (Update to support new OmniSharp release dotnet/vscode-csharp#139)
• e5d9f33 actually remove gulp-symdest ([email protected])
• 163aa90 Remove gulp-symdest dependency (fixes Add initial .travis.yml file dotnet/vscode-csharp#123)
• 1c16d08 [email protected]
• f6fb623 update request library
• c790bed [email protected]
• a579228 remove unneeded TS dependency

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn