[Snyk] Fix for 36 vulnerabilities

[enterstudio]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKDOWNIT-459438	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Cross-site Scripting (XSS) SNYK-JS-STRIPTAGS-1312310	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Cross-site Scripting (XSS) SNYK-JS-TRIX-536207	No	No Known Exploit
	496/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.5	Cross-site Scripting (XSS) SNYK-JS-TRIX-537647	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Information Exposure SNYK-JS-WEBPACKDEVSERVER-72405	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	354/1000 Why? Has a fix available, CVSS 2.8	Insecure use of /tmp folder npm:cli:20160615	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Regular Expression Denial of Service (ReDoS) npm:diff:20180305	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (Eslint fix WikiEducationFoundation/WikiEduDashboard#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (Fix #1856 Campaign Alert Table Not Showing under Mobile Layout WikiEducationFoundation/WikiEduDashboard#1859)
• 723cbc4 Docs: Fix syntax in recipe example (CampaignEditable generates a warning WikiEducationFoundation/WikiEduDashboard#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (User stats query does not work when username includes & WikiEducationFoundation/WikiEduDashboard#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (Converts Campaign Editable into a Popover WikiEducationFoundation/WikiEduDashboard#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (complete upload.spec.jsx WikiEducationFoundation/WikiEduDashboard#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (Plagiarism store to redux WikiEducationFoundation/WikiEduDashboard#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (Bcb37 training translations#1514 WikiEducationFoundation/WikiEduDashboard#1609)

See the full diff

Package name: gulp-clean

The new version differs by 2 commits.

• 1b2503e Merge pull request [Snyk] Fix for 1 vulnerabilities #30 from kuangyeheng/pl
• d83c56a remove gulp-util

See the full diff

Package name: gulp-coffee

The new version differs by 19 commits.

• 39df753 3.0.3
• 8c9ec9a Merge pull request [Snyk] Fix for 1 vulnerabilities #89 from TheDancingCode/no-coercion
• 9db3c01 Merge pull request [Snyk] Security upgrade gulp-iconfont from 8.0.1 to 12.0.0 #90 from TheDancingCode/remove-require
• 64b0784 Remove unneeded Mocha require statement
• 8cd8339 Avoid implicit type coercion
• f668318 Remove unused variables
• 428393b Replace deprecated `new Buffer()`
• 841228b Update repo location
• 95c3621 Replace unneeded `merge`
• a752a2a Fix node version in README
• 2b17e7c 3.0.2
• e8a6459 closes [Snyk] Fix for 2 vulnerabilities #81
• e39eac8 closes [Snyk] Security upgrade markdown-it from 8.1.0 to 13.0.2 #82
• bbb041d 3.0.1
• 4e4fe84 respond to https://github.com/Ecosystem migration gulpjs/gulp-util#143
• 2b1623c 3.0.0
• eaf44ad more dep updating
• 480d8ee Merge pull request [Snyk] Fix for 1 vulnerabilities #80 from ndrewtl/master
• e3939ff Bump Coffeescript to version 2.1.0

See the full diff

Package name: gulp-eslint

The new version differs by 19 commits.

• a398838 4.0.0
• 18a4299 emit an error when it fails to load an ESLint plugin
• b8bf261 update ESLint from v3 to v4 (Number of trained students no longer accessible to screen readers WikiEducationFoundation/WikiEduDashboard#198)
• c0e82ce use `Buffer.from` instead of `new Buffer`
• e6c67a2 drop support for linting `Stream` contents
• 132d5cc Fix formatting issues in README.md (Placeholder text for course start/end dates should indicate required date format: YYYY-MM-DD WikiEducationFoundation/WikiEduDashboard#194)
• 7f65378 remove link to config file `globals` doc
• 8ddfb84 correct the type of `globals` option in README
• 6059c22 3.0.1
• b0c2816 ensure sharable config works
• 08b9212 test the case where babel-eslint is actually useful
• eb98701 mock stream-mode vinyl files with from2-string
• bcd7736 fix invalid `envs` option
• 286b0c4 remove unused fixtures
• e2723e1 Remove unnecessary `object-assign` dependency
• 82c1949 3.0.0
• 97d8638 Remove invalid options in example code
• 505779d Remove option aliases
• 7228608 Bump ESLint to v3.x and ES2015ify

See the full diff

Package name: gulp-htmlhint

The new version differs by 31 commits.

• ee34ef4 changelog
• 7a5e4e1 Tewak travis yaml
• 2abefa6 changelog
• 33f7eb8 bump dependencies
• 67eb9be updated htmlhint dependency ([Snyk] Fix for 1 vulnerabilities #42)
• 1812928 v2.1.1
• 35c080a changelog
• dcad7b5 linter
• 9e5fe01 Fix issue in specifying htmlhintrc in options.
• 2c4cdba v2.1.0
• eb72661 changelog
• f84d738 Merge branch 'pr/37'
• 02525c3 Cleanup
• 1ab444d Replace tabs in code.
• c9e333c Add test for custom rules.
• 32299c7 Enhance the support of custom rules.
• 6de541e Update README.md
• 3ac8697 Update index.js
• 86795a3 v2.0.0
• 94c2cc3 changelog
• 3065e9c Bump dependencies
• d599989 Replace deprecated gulp-util package ([Snyk] Security upgrade jquery from 2.2.4 to 3.5.0 #35)
• 04ec9fc v1.0.0
• 38da4f3 changelog

See the full diff

Package name: gulp-iconfont

The new version differs by 49 commits.

• 3d935c1 Release v11.0.0
• 1a5b6f4 Merge pull request + icon for Wiki Ed staff does nothing if no staff are present WikiEducationFoundation/WikiEduDashboard#187 from nfroidure/gulp-ttf2woff2
• ae4bd62 Do not publish .github
• 3643cc6 Require Node 12+
• 5f22074 Update [email protected]
• 7507aee Merge pull request If a week has no blocks, you cannot drag another block to that week WikiEducationFoundation/WikiEduDashboard#186 from nfroidure/actions
• 4c81f3b Update CI badge in README.md
• eb6a935 Remove .travis.yml
• 10deed6 Increase timeout on async test
• 7545acc Run on ubuntu-latest
• e2fd250 Do not reinstall packages already installed
• 6bef293 Copy install script from Dockerfile
• b60a2f6 Use GitHub Actions for CI
• 0a5245d Merge pull request enrollment url should not display for users who are not logged in. WikiEducationFoundation/WikiEduDashboard#177 from nfroidure/travis
• b85eb5b Run CI on Ubuntu 14.04
• 6067b8f Merge pull request Activity timestamps do not match Wikipedia WikiEducationFoundation/WikiEduDashboard#176 from nfroidure/readme
• 195dd04 Fix formatting in README.md
• d751ba6 10.0.3
• b0e8399 Merge pull request Your Courses should only show current and not-yet-started courses. WikiEducationFoundation/WikiEduDashboard#175 from pioug/master
• ed9dae2 Add support for Node.js 11/12
• 47cde1a 10.0.2
• a4a2b5e updated dependencies
• 0819325 10.0.1
• cb86fe2 Use multipipe instead of plexer: no need for explicit error handling, simpler code.

See the full diff

Package name: gulp-imagemin

The new version differs by 11 commits.

• 805d945 5.0.0
• a576ff2 Require Gulp 4
• 4fd98eb Meta tweaks
• b57f1d6 Require Node.js 6 and update dependencies (Edits that add urls from Wikipedia's spam blacklist will fail (eg, bit.ly) WikiEducationFoundation/WikiEduDashboard#315)
• 658ec66 Update URL to XO
• e1e3cf2 4.1.0
• adb1e87 Removed use of deprecated gutil (Columns are mislabeled on Your Courses list WikiEducationFoundation/WikiEduDashboard#289)
• d33fc30 Remove Code Sponsor
• a02c58b 4.0.0
• 1f28b70 package.json indentation
• 62ad533 Bump `imagemin-svgo`

See the full diff

Package name: gulp-jsx-coverage

The new version differs by 28 commits.

• 79b94d8 release
• 993ac49 update history
• 21954ba update license
• bcac6ac update history
• 4dec074 update history
• 94b0c0f update history
• 87709bc typo
• bc9591f refine doc
• 1061c7f add react/jsx into example
• 58a09ee refine doc
• 6d5250a refine doc
• a2e3c62 refine doc
• f2fdabe refine document
• 139ad7e refine document and error handling. remove unused devDep
• 0fbc1fc refine doc
• 05c3b5c update demo image
• 0e16b6d refine document
• ff2a18e refine tests
• 5c9085f refine dependency
• 9d9427c test in node 4+ now
• 0e743d8 have correct source-map-support now
• 09eb166 big changes now
• c5c6f12 port to new istanbul.js now
• 27fd853 remove isparta and babel option support

See the full diff

Package name: gulp-notify

The new version differs by 37 commits.

• ed803de v4.0.0
• 7160fd4 removes old node
• 285814e updates changelog
• 47cf852 updates node travis versions
• a72c677 Merge branch 'mrDinckleman-master'
• da7fa41 updates dependencies
• 07b80b5 updates dependencies
• 11375a4 Fix 'var' usages
• 0e311bf Update dependencies
• db21100 Updates travis node version to modern
• fc027c1 v3.2.0
• 883e4a5 Updates dependencies
• 398d0a4 v3.1.0
• fc51ff2 Merge pull request Instructors do not appear on the overview page WikiEducationFoundation/WikiEduDashboard#124 from ohbarye/replace-gulp-util
• 46efdc6 Move vinyl to devDependencies
• 173fcb0 Use ansi-colors instead of chalk due to node version compatibility
• 1e8c372 Remove unused through import
• 3284a51 Drop dependency on deprecated gulp-util
• 455250c npm install chalk fancy-log plugin-error lodash.template vinyl
• 658efc5 v3.0.0
• b1ba7a2 Adds changelog for bump with node-notifier
• 7d6944e Updates all dependencies
• 08244ea Adds log files to ignore
• 8df5320 Bumps node-notifier dependency to latest

See the full diff

Package name: gulp-stylus

The new version differs by 2 commits.

• 613ab7f 3.0.0
• fdaf2cc Update dependencies

See the full diff

Package name: gulp-uglify

The new version differs by 6 commits.

• 76b5b3a fix(package): update files array
• 5d4c4c6 chore(all): refactor unit tests
• f2b779b feat(composer): implement new API for composing deps
• dbbba30 fix(minify): log warnings to gulplog
• 4cc8751 feat(uglify): add support for UglifyJS3
• ad73ab8 chore(pkg): update dependencies, run lint

See the full diff

Package name: gulp-watch

The new version differs by 5 commits.

• 959128a 5.0.0
• 9208d48 Bump chokidar to ^2.0.0
• 02bd06d Update to newest vinyl for gulp 4 support (Sorting by Recent Revisions does not sort correctly WikiEducationFoundation/WikiEduDashboard#296)
• 4ced696 Add Node.js 9 and increase timeout to 5 secs
• aa8146f Remove unsupported versions of Node.js

See the full diff

Package name: markdown-it

The new version differs by 94 commits.

• b5d7ea5 10.0.0 released
• 26eacad Browser files rebuild
• 3d24bda Deps bump
• 33dfd12 Changelog format update
• 07a62c6 Move nested delimiter info to opening token instead of inline state
• 3c67c8f Add funding info
• 9e5015f 9.1.0 released
• 5093920 Browser files rebuild
• 39a35f4 Remove extra chars from line breaks check (match CM spec)
• faecae0 Match CommonMark spec exactly
• d9cb3cc Don’t recognize U+2028 as a newline character
• 9bbefc1 Create issue templates
• 28cec6d 9.0.1 released
• 7961e5a Browser files rebuild
• a1c9381 Fix incorrect level recalculation in text_collapse
• d08c7c3 Add an example related to case-insensitive comparisons
• bd43aae 9.0.0 released
• cb4f862 Browser files rebuild
• c36309e Bump eslint & update CS
• a52d724 Deps bump
• c93ad3a jade => pug
• 1ba6def Deps: coverall bump
• 457f471 Travis-CI: refresh node versions to actual
• fa7a419 Fix edge case for list indents

See the full diff

Package name: mocha

The new version differs by 250 commits.

• da6e5c9 Release v5.0.3
• 70d9262 update CHANGELOG.md for v5.0.3 [ci skip]
• aaaa5ab fix: ReDoS vuln in [email protected] › [email protected] (What do you think if students are more concerned with a hoax news on their smartphone than with social reality  WikiEducationFoundation/WikiEduDashboard#3266)
• 8df5727 Tidies up code after review
• 660bccc adds unit tests covering Base.generateDiff
• bdcb3c3 exposes generateDiff function from base reporter
• f2ee53c Release v5.0.2
• ff1bd9e update package-lock.json
• 6a796cb prepare CHANGELOG for v5.0.2 [ci skip]
• 0542c40 update README.md; closes Bump core-js from 3.1.4 to 3.2.0 WikiEducationFoundation/WikiEduDashboard#3191 [ci skip]
• afcd08f add MAINTAINERS.md to .fossaignore [ci skip]
• 3792bef add opencollective header image to assets/
• 5078fc5 persist paths in stack trace which have cwd as infix
• 2c720a3 do not eat exceptions thrown asynchronously from passed tests; closes Update My Articles links with templates WikiEducationFoundation/WikiEduDashboard#3226
• 3537061 Update to correctly licensed browser-stdout version
• ec8901a remove unused functionality in utils module
• f71f347 rename wallaby.js -> .wallaby.js
• c4ef568 fix PR url
• 73d55ac fix typos in changelog [ci skip]
• 09ce746 Release v5.0.1
• 70027b6 update changelog for v5.0.1 [ci skip]
• 44aae9f add working wallaby config
• 412cf27 [Update] license year
• b7377b3 rename help-wanted to "help wanted" in stale.yml

See the full diff

Package name: react-trix

The new version differs by 27 commits.

• 4280782 cleaned up dependencies
• 7e5f165 fixed [Snyk] Fix for 2 vulnerable dependencies #16 and close [Snyk] Fix for 1 vulnerable dependencies #17 updated to trix 1.0.0
• c560bff Merge pull request [Snyk] Fix for 1 vulnerable dependencies #19 from jusmat/fix/18_fix_documentation
• ed45d05 Refs [Snyk] Fix for 1 vulnerable dependencies #18: Make documentation up to date.
• ef4d498 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #15 from pawelsas/master
• c9c63ea Merge pull request [Snyk] Fix for 1 vulnerable dependencies #14 from pawelsas/master
• c367952 Add trix npm version to Readme
• 6a13074 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths #1 from pawelsas/pawelsas-patch-1
• 41fad9c Update README.md
• 3535db3 updated readme
• 13c012c Merge branch 'master' of https://github.com/dstpierre/react-trix
• f730eab updated to react 16 close [Snyk] Fix for 1 vulnerable dependencies #9 and fix [Snyk] Fix for 1 vulnerable dependencies #10
• 9f554e2 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #8 from pixyj/master
• 7c4e833 Fix typo in README
• 01aed09 fixed suggestion box positionning
• 4028d89 fixed firefox events not fireing
• 825bde7 fixed typo in readme
• 54d5cda added note about having latest trix js/css
• cfbfbd5 added build task
• ab108de added css class for suggestion box
• d3d6744 added trigger and suggestion for merge tags / mention like interaction
• 05381ac migrated to Typescript and Trix 0.10.1
• 7ba2ecd first alpha with typescript
• faf8c26 taking over this project

See the full diff

Package name: rev-del

The new version differs by 22 commits.

• de7ddcf 2.0.0
• a53017b Merge pull request [Snyk] Fix for 1 vulnerable dependencies #20 from jakezatecky/master
• f95803a Merge pull request [Snyk] Fix for 2 vulnerable dependencies #16 from joostdekeijzer/deleteMapExtensions-issue-10
• c58cf53 Update dependencies
• cf4592b deleteMapExtensions help text
• bb0647a deleteMapExtensions option defaults to false
• 3e6352a Update travis test version
• be9d676 Merge pull request [Snyk] Fix for 2 vulnerable dependencies #13 from nickescallon/add-range-dep-for-lodash
• 6cb4e66 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #12 from piotr-cz/patch-1
• 6083c07 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #14 from silverbackdan/master
• 099fc8c Remove statSync from secondary potential map file path
• ce37d62 Coding style whitespace update
• ab3a318 Change existsSync to statSync and coding style update
• 9929902 Conflict resolve
• dae8438 First local to remote commit
• 218f09d .map find fixes
• b9e10b6 Lookup key for file to locate .map
• 9ab2b0c Respect deleteMapExtensions option
• a0a913e .map extension check
• aa4db05 Option for checking and deleting .map extenions
• acea599 increase lodash dependency version range
• bd6105e Fix path resolution on windwos

See the full diff

Package name: striptags

The new version differs by 18 commits.

• f252a6b Merge pull request from GHSA-qxg5-2qff-p49r
• 2719515 fix: throw TypeError if 'html' is non-string argument
• 27a5dd9 Update README.md example output