[Snyk] Fix for 51 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-AXIOS-174505	No	Proof of Concept
	630/1000 Why? Has a fix available, CVSS 8.1	Internal Property Tampering SNYK-JS-BSON-561052	Yes	No Known Exploit
	626/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.1	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JQUERY-174006	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MONGOOSE-1086688	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Information Exposure SNYK-JS-MONGOOSE-472486	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MPATH-1577289	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MPATH-72672	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MQUERY-1050858	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MQUERY-1089718	Yes	Proof of Concept
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	601/1000 Why? Recently disclosed, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-NODEFORGE-598677	Yes	Proof of Concept
	751/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.6	Command Injection SNYK-JS-NODEMAILER-1038834	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	HTTP Header Injection SNYK-JS-NODEMAILER-1296415	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection SNYK-JS-OPEN-174041	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-536840	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-1023599	No	Proof of Concept
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-1072471	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-610226	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-UNDEFSAFE-548940	No	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:bootstrap:20160627	No	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Regular Expression Denial of Service (ReDoS) npm:highcharts:20180225	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	796/1000 Why? Mature exploit, Has a fix available, CVSS 8.2	Uninitialized Memory Exposure npm:http-proxy-agent:20180406	No	Mature
	796/1000 Why? Mature exploit, Has a fix available, CVSS 8.2	Uninitialized Memory Exposure npm:https-proxy-agent:20180402	No	Mature
	469/1000 Why? Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:ip:20170304	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	Arbitrary Command Injection npm:open:20180512	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ua-parser-js:20171012	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ua-parser-js:20180227	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:validator:20180218	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: axios

The new version differs by 250 commits.

• e367be5 [Releasing] 0.21.3
• 83ae383 Correctly add response interceptors to interceptor chain (#4013)
• c0c8761 [Updating] changelog to include links to issues and contributors
• 619bb46 [Releasing] v0.21.2
• 82c9455 Create SECURITY.md (#3981)
• 5b45711 Security fix for ReDoS (#3980)
• 5bc9ea2 Update ECOSYSTEM.md (#3817)
• e72813a Fixing README.md (#3818)
• e10a027 Fix README typo under Request Config (#3825)
• e091491 Update README.md (#3936)
• b42fbad Removed un-needed bracket
• 520c8dc Updating CI status badge (#3953)
• 4fbeecb Adding CI on Github Actions. (#3938)
• e9965bf Fixing the sauce labs tests (#3813)
• dbc634c Remove charset in tests (#3807)
• 3958e9f Add explanation of cancel token (#3803)
• 69949a6 Adding custom return type support to interceptor (#3783)
• 49509f6 Create FUNDING.yml (#3796)
• 199c8aa Adding parseInt to config.timeout (#3781)
• 94fc4ea Adding isAxiosError typeguard documentation (#3767)
• 0ece97c Fixing quadratic runtime when setting a maxContentLength (#3738)
• a18a0ec Updating `lib/core/README.md` about Dispatching requests (#3772)
• 59fa614 [Updated] follow-redirects to the latest version (#3771)
• 7821ed2 Feat/json improvements (#3763)

See the full diff

Package name: bootstrap

The new version differs by 250 commits.

• 8a628b9 Remove -Pre from Nuget install info since we're stable now /cc @ supergibbs
• 572d00a Bump version to 4.0.0
• bffa438 Update progress.md (#25355)
• 45d2f2e Restore sidebar nav link to Approach page
• 20a9c7f dist
• 91d5846 Improve examples' screenshots compression.
• 6902219 Consistently sized 960x600 wide images.
• b00bbf0 Only 2-col on sm+
• 9b0fcbf Prevent print utils from overriding all other display utils (#25269)
• a0936c3 Outline button hover color (#25339)
• b1a7548 Use .list-group-item-action for list group item variant (#25338)
• 4c96f58 Fix input height border (#25331)
• 18f6915 dist
• f4132db Add order-last grid class (#24915)
• a531b46 Using the expected variable to set the custom select height. (#25169)
• 814e5b7 Extend spacers and sizes (#25101)
• d16eb10 Mention .input-group-text in migration docs (#25325)
• 2f4e785 Adjust language
• c8d9c0e Merge branch 'form-check-input-validation' of https://github.com/supergibbs/bootstrap into supergibbs-form-check-input-validation
• b5039d5 closes #25280
• e6d9316 Use the SRI hashes for the live site's assets. (#25282)
• 1f490ec Consistently use `:disabled` rather than `[disabled]` selector (#25317)
• fa3de5c Add example of a Spanish translation for custom file input (#25302)
• 14bd7d7 Add display utilities to bootstrap-grid.scss (#25308)

See the full diff

Package name: connect-mongo

The new version differs by 90 commits.

• 63ca966 docs: update readme and bump version to 3.0.0
• aceb1ee chore: bump version to 3.0.0-rc.2
• 0e4a234 test: add test cases on event listener
• e77a7f1 test: replace mocha with jest (#324)
• ad39e88 test: replace deprecated collection.insert to collection.insertOne
• 545c06e docs: update README on testing
• 2d5442e chore: upgrade depns mocha
• 5d3a321 chore: upgrade nyc depns
• 54cd91d chore: upgrade depns
• afb7a12 docs: remove some badges
• 6c2484b docs: update README for supporting version
• c925c92 test: fix test case
• 6827330 chore: bump version to 3.0.0-rc.1
• f62692b ci: update .npmignore
• aa2637d ci: remove node 6 support and add linting in travis
• 801291b fix linting error
• f928547 travis add test on Node 12
• 12275f0 better linting
• eb23b1e linting fix
• 66194c7 bump major version to 3.0.0-rc
• f29084f Wait for client open, before calling db. (#321)
• d252bfc Install Stale bot
• 15d91c1 Transparent crypto support (#314)
• 08ccada Update readme refer to latest release to avoid confusion

See the full diff

Package name: express-validator

The new version differs by 250 commits.

• cd4136e 6.5.0
• 612e2d9 Don't modify requests if oneOf chain didn't succeed (#877)
• 7595c94 chain: comment out isDate for now
• 8b604af chain: add missing methods to Validators interface
• ab6ffe4 npm: upgrade validator to 13.0.0 (#874)
• 29374cb 6.4.1
• 70af46e npm: audit fix dependencies
• efbfe3a Only consider . to be special char for now
• 42819ae npm: update dependencies
• 7736384 Remove console.log
• 3814c0a Fix use of special chars in selectors
• 0c450a9 docs: fix... typo? (#842)
• 246f2ea docs: improve wording in matchedData page (#846)
• 6123155 docs: improve wording in whole-body validation (#845)
• 3124129 docs: fix typo in schema validation and improve wording (#844)
• d85b368 docs: fix verb tense in the custom validator page (#841)
• 19531ec docs: fix verb tense in the validationResult page (#847)
• f868e23 docs: small fixes in the wildcard feature (#843)
• 31d73c2 npm: add build script
• 008a0ae docs: migrate usages of sanitize to check
• 4bbe421 6.4.0
• acb2ad7 npm: run docs:build before git add on versioning
• 5e293cf Compile TS to ES2017 (#826)
• 0163461 npm: upgrade a few packages (#825)

See the full diff

Package name: googleapis

The new version differs by 250 commits.

• 20409df chore: release 49.0.0 (#2022)
• 7de4e78 chore(deps): update dependency null-loader to v4 (#2044)
• 340f78d chore(deps): update dependency ts-loader to v7 (#2043)
• 254f878 chore: remove unused dev packages (#2042)
• f4eb6e0 chore: update lint ignore files (#2040)
• 0110f3e docs: update readme for drive readme (#2039)
• 73d284b fix(deps): update common and auth (#2038)
• 476b71e test: use discovery docs from fixture (#2037)
• 3a3b61d build: remove unused codecov config (#2034)
• fea414a feat!: regenerate the API (#2028)
• 48a4f05 chore(dep)!: deprecate node 8 (#2021)
• 99ebacf test: the kitchen sink system test sometimes times out (#2020)
• 05090da fix: apache license URL (#468) (#2017)
• d15c656 chore: remove duplicate mocha config (#2016)
• 874edc3 build: update templates (#2013)
• dc16586 build: set AUTOSYNTH_MULTIPLE_COMMITS=true for context aware commits (#2012)
• 741c58b chore: update github actions configuration (#1999)
• 1fe744b chore(deps): update dependency @ types/rimraf to v3 (#1995)
• 5512eb5 chore(deps): update dependency typedoc to ^0.17.0 (#1993)
• 0a4db38 chore: release 48.0.0 (#1979)
• 074f641 fix: allow an empty requestBody to be provided for APIs that support multipart post (#1988)
• 8bcb212 feat!: run the generator (adds: displayvideo, gamesConfiguration, managedidentities, networkmanagement) (#1989)
• 8677588 build(tests): fix coveralls and enable build cop (#1982)
• 0679c78 build: update linkinator config (#1981)

See the full diff

Package name: isomorphic-fetch

The new version differs by 12 commits.

• fc5e0d0 3.0.0
• 496fa43 Add version that was previously uncomitted to the package.json due to the previous release process
• 9f5a8b6 Add a list of alternatives
• 49280e6 Resolve minor security issue
• 0f5edd0 Explain why Isomorphic Fetch is needed in docs (#135)
• e32b006 Fix travis (#190)
• db0aa8c Update to latest version
• 8bf02c4 Bump node-fetch from 1.7.3 to 2.6.1 (#189)
• 89c7e70 Merge pull request #93 from paulmelnikow/fetch_ponyfill
• 25e3cab Add link to fetch-ponyfill
• 8d33aba Merge pull request #90 from josiah0/update-lintspaces-cli
• c22fcda Update lintspaces-cli

See the full diff

Package name: jsonwebtoken

The new version differs by 28 commits.

• f313850 8.0.0
• f38bd8e updated changelog
• 2ec3263 Merge pull request #393 from ziluvatar/migration-notes-to-readme
• 12cd8f7 docs: readme, migration notes
• cfc04a9 Merge pull request #349 from ziluvatar/fix-max-age-number-and-seconds
• 3305cf0 verify: remove process.nextTick (#302)
• 0be5409 Reduce size of NPM package (#347)
• 2e7e68d Remove joi to shrink module size (#348)
• 66a4f8b maxAge: Add validation to timespan result
• e54e53c update changelog
• fb48dde 7.4.3
• 2e4e30b Merge pull request #386 from ziluvatar/issue_381
• 2a3404f add test & modify guard code
• 91ba14d Fixed alg non + secret set unit test
• b1ff632 Fix for #381. Set secret string before using jws when alg is none
• e56f904 update changelog
• 480bb9b 7.4.2
• c6a7026 Merge pull request #374 from ziluvatar/add-check-for-empty-secrets
• c584d1c sign: add check to be sure secret has a value
• 43739dc Merge pull request #371 from ziluvatar/docs-about-refreshing-tokens
• 016fc10 docs: about refreshing tokens
• 5f44a86 Merge pull request #365 from ziluvatar/information-regarding-base64-secrets
• c25e990 docs: verifying with base64 encoded secrets
• 2f36063 Merge pull request #360 from ziluvatar/add-ecdsa-tests

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 07946be chore: release v5.13.9
• 264554f fix: upgrade to mpath v0.8.4 re: security issue
• fc5fc7e fix: peg @ types/bson version to 1.x || 4.0.x to avoid stubbed 4.2.x release
• 1f28237 fix(populate): avoid setting empty array on lean document when populate result is undefined
• 1dc9b45 style: fix lint
• 3f7dfc5 fix(document): make `depopulate()` handle populated paths underneath document arrays
• b34d1d5 fix(index.d.ts): simplify UpdateQuery to avoid "excessively deep and possibly infinite" errors with `extends Document` and `any`
• 2a3399e docs: another layout fix for 5.x docs
• 5bf3c29 chore: update makefile again
• 191678c chore: update makefile re: #10607
• 776fae9 docs: fix up 5.x docs navbar
• a803885 test(typescript): add coverage for #10590
• bf43078 fix(index.d.ts): allow specifying `weights` as an IndexOption
• cb1e787 chore: release 5.13.8
• 5c0140c fix(index.d.ts): add `match` to `VirtualTypeOptions.options`
• 6122f4b docs(api): add `Document#$where` to API docs
• 2871c1b style: fix lint
• 8d00f62 Merge pull request #10587 from osmanakol/master
• 57e729b allow QueryOptions populate parameter use PopulateOptions
• 6c36263 fix(index.d.ts): allow strings for ObjectIds in nested properties
• e90aab1 docs(History): make a note about #10555
• fca0627 style: fix lint
• 6b92599 fix(populate): handle populating subdoc array virtual with sort
• 283d43f test(populate): repro #10552

See the full diff

Package name: nodemailer

The new version differs by 188 commits.

• 7e02648 v6.6.1
• 1750c0f v6.6.0
• 0636d58 Merge branch 'master' of github.com:nodemailer/nodemailer
• 058d414 v6.6.0
• fcb0d1f test: 💍 aws ses SDK v3 support
• 2ef39e3 test: 💍 aws ses connection verification
• 6107585 fix: 🐛 ses verify, add support for v3 API
• bf57cf5 Fixes resolveContent with streams overriding data
• 91108d7 v6.5.0
• 87d9b25 Pass through textEncoding to subnodes.
• 271f91b Update index.js
• 9b5fb94 v6.4.18
• 625a9ed Update README.md
• 1d24d8b docs: added rudimentary sponsor quote block
• a455716 Added OhMySMTP to services
• 6e045d1 v6.4.17
• ba31c64 v6.4.16
• 7e7b2b2 v6.4.15
• fca2041 Update CHANGELOG.md
• b4ccfa3 Oups
• 24b93bf Add ethereal.email to well-known/services.json
• 0f132fa doc: make the code a little more accessible with some code comments.
• 1815bad v6.4.14
• dd26ddd v6.4.13

See the full diff

Package name: nodemailer-mailgun-transport

The new version differs by 18 commits.

• 1b175ff Merge pull request #76 from adrukh/master
• f34f13a Update version to allow for a new release
• 7f8c664 Update `mailgun-js` to fix a vulnerability
• 515320f Merge pull request #73 from APshenkin/mock
• 3a14ca9 Fix proxy. Add ability to mock mailgun
• 88a2de7 Merge pull request #69 from vinceprofeta/patch-1
• b6581ae Update mailgun-transport.js
• 70f8b97 Merge pull request Fix/hours recalculation #36 from fry2k/proxy
• 61c2acb Bumped version; merged vuln fix
• 0b8f3c7 Merge pull request #66 from Ilshidur/patch-1
• 09b831b Vulnerability fix : bump mailgun-js
• fd9b070 Merge pull request #64 from cospired/fix/replyto_bug
• 19f3df5 FIX: use mailData instead of mail.data like in the rest of the code. ref #63
• b489104 FIX replyTo handling
• c97efb7 add tests for replyTo address conversation and field transformation (from nodemailer interface to mailgun interface), ref #63
• 0dfdb5e Merge pull request #62 from fossamagna/add-messageId-to-info
• d4e456a Add info.messageId property
• b216146 added proxy support

See the full diff

Package name: prop-types

The new version differs by 42 commits.

• fa6fbb7 15.6.2
• 5115f5c Merge pull request #180 from jaller94/master
• 2ac742c Merge pull request #171 from barrymichaeldoyle/master
• a7a5a64 Merge pull request #194 from facebook/no-fbjs
• d6c9c5c Preserve "Invariant Violation" name
• 07d1b47 Remove fbjs dependency
• 3c99d57 Remove trailing spaces
• a36cda8 Move explanation of `isRequired` and show it in `PropTypes.shape`
• ba3da12 Show that shapes can have required properties
• 2bde8eb Add example for `PropTypes.exact`
• d65f80e Updated vars to consts and lets in PropTypesProductionStandalone-test.js
• c10c93f Updated vars to consts and lets in PropTypesDevelopmentStandalone-test.js
• 8e2b34e Updated vars to consts and lets in PropTypesDevelopmentReact15.js
• c5527c8 Updated vars with consts and lets in PropTypesProductionReact15-test.js
• 7cc8c81 Add 15.6.1 to CHANGELOG
• 5df7296 15.6.1
• b7d03ce Point readme to correct docs for production builds (#153)
• a94243f Update the repository location (#148)
• 77c62a7 Fix failing tests (#129)
• 644844c Merge pull request #140 from flarnie/master
• 0b5db12 Add `CODE_OF_CONDUCT`
• a6900f0 Add CONTRIBUTING.md
• 492e230 Update README.md with improved importing for CDNs (#104)
• 155f4cc v15.6.0 for real

See the full diff

Package name: react-highcharts

The new version differs by 10 commits.

• da5a69e 15.0.0
• abf06db Merge branch 'master' of https://github.com/kirjs/react-highcharts
• 867e08d 14.0.0
• d984e32 Merge pull request #340 from m-allanson/highcharts-v6
• bc318a2 Specify the current Highcharts version in README
• b1dd6ad Fix typo
• a2cdea0 Update Highcharts to version 6
• 711c177 13.0.0
• a9c5aac Merge pull request #328 from anajavi/react16
• 9a5dd28 Add React 16 peer dependency and fix warning about defaultProps on React 16

See the full diff

Package name: serialize-javascript

The new version differs by 58 commits.

• b54341e v3.1.0
• 7cee7e4 Revert "support for bigint (#80)"
• 026a445 Bump mocha from 7.1.2 to 7.2.0 (#83)
• 5130a71 support for bigint (#80)
• ea76b23 Bump mocha from 7.1.1 to 7.1.2 (#82)
• 073c8d8 Bump nyc from 15.0.0 to 15.0.1 (#81)
• f21a6fb Don't replace regex / function placeholders within string literals (#79)
• 1ac487e [Security] Bump minimist from 1.2.0 to 1.2.5 (#78)
• c795cef Bump mocha from 7.1.0 to 7.1.1 (#77)
• 3064431 Bump mocha from 7.0.1 to 7.1.0 (#74)
• 9dbe8f6 Update example in README (#73)
• f5957ee v3.0.0
• eed510c Introduce support for Infinity (#72)
• 82bb2d2 Bump mocha from 7.0.0 to 7.0.1 (#71)
• fdfb10a Test on Node.js v12 (#70)
• 2f5f126 Bump mocha from 6.2.2 to 7.0.0 (#69)
• 35062c0 Bump nyc from 14.1.1 to 15.0.0 (#68)
• 6c43b02 v2.1.2
• 3e05a3f Ignore .nyc_output (#64)
• 3c46e8e Bump mocha from 6.2.0 to 6.2.2 (#62)
• 433fc9c 2.1.1
• 16a68ab Merge pull request from GHSA-h9rv-jmmf-4pgx
• 3bab6de Bump mocha from 6.2.1 to 6.2.2 (#60)
• 7a6b13d Bump mocha from 6.2.0 to 6.2.1 (#59)

See the full diff

Package name: snyk

The new version differs by 136 commits.

• adf9b7b feat: update deps
• 6b9b538 feat: add payload size to analytics
• 91893f6 feat: don't send `from` arrays in pkg trees
• f5c99b2 chore: node4 compatible syntax in test
• 4af5792 chore: drop babel
• 439195c feat: use proxy-agent for proxying
• 348ea15 chore: update .nvmrc to 4
• ff777dd feat: better url-opening ability for `snyk auth` flow
• c6f467e fix: code styling issues detected by lgtm
• 9bc11d1 feat: bail out on unsupported nodejs runtime versions
• aa6040e fix: pin snyk-policy version
• 42796e7 feat: drop support for Node < 4
• 933f3f1 feat: update snyk-resolve-deps to reduce size of dependencies
• 042c476 feat: remove update notifier
• 7e10aae feat: support yarn for protect scripts
• 6b6ce94 fix: dont suggest reinstallation for yarn projects
• 80e49fd fix: update test fixures expected version
• 38f993f fix: compatability with new pip version (10.0.0)
• db91114 feat: a seperate spinner for "Analyzing deps ..."
• 6a77349 fix: update snyk-go-plugin 1.4.5 -> 1.4.6
• 334f8b1 fix: remove vulns from analytics payload if present
• 58b5437 chore: adds security document
• b3d241a fix: bump snyk-python-plugin to better handle editable fragments
• 66d658a fix: analytics report includes duration of execution

See the full diff

Package name: underscore

The new version differs by 250 commits.

• bf5a0ed Merge branch 'template-variable-parameter'
• 7e3d404 Update annotated sources and minified bundles for 1.12.1
• 5343fbc Add version 1.12.1 to the documentation
• 44df929 Bump the version to 1.12.1
• 7e89b79 Un-document the fix for #2911 for the time being
• 4c73526 Fix #2911
• ef646cc Reflect real issue of #2911 in test from #2912
• a6159ff Fix indentation in the test from #2912
• 798eafa Update the link to the preview release (bugfix)
• 07cc415 Convert all RawGit links to Statically
• db7fb6a Add temporary note about preview release to index.html
• 548fa01 Merge pull request #2913 from ognjenjevremovic/test/time-tampering-tests
• 3a5c878 test: Assertion comment updates; `_.throttle` and `_.debounce`.
• 4d5d198 test: 💍 Time tampering tests for _.throttle and _.deobounce
• a4cc7c0 Add a test to confirm we are not vulnerable to CVE-2021-23337 (#2911)
• 745e9b7 Merge pull request #2896 from anderlaw/master
• af2f919 Correct "Non-numerical values in list will be ignored"
• c9b4b63 Put back test/vendor/qunit.* static files to fix live website tests
• 311b04e Merge pull request #2892 from kritollm/master
• 6568211 Make a comment render more nicely
• 0b93f06 Fixed a few more details
• 913bcf2 Resolved changes requested.
• 769a494 throttle cleanup
• 03f9781 Reimplementing timer optimization #1269

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No Known Exploit
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic