[Snyk] Fix for 28 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Prototype Pollution SNYK-JS-JQUERY-174006	No	No Known Exploit
	Denial of Service (DoS) SNYK-JS-JSYAML-173999	No	No Known Exploit
	Arbitrary Code Execution SNYK-JS-JSYAML-174129	No	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-73638	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	No Known Exploit
	NULL Pointer Dereference SNYK-JS-NODESASS-535500	No	No Known Exploit
	Out-of-bounds Read SNYK-JS-NODESASS-535501	No	No Known Exploit
	Uncontrolled Recursion SNYK-JS-NODESASS-535503	No	No Known Exploit
	Resource Exhaustion SNYK-JS-NODESASS-535504	No	No Known Exploit
	NULL Pointer Dereference SNYK-JS-NODESASS-535505	No	No Known Exploit
	Denial of Service (DoS) SNYK-JS-NODESASS-540982	No	No Known Exploit
	Denial of Service (DoS) SNYK-JS-NODESASS-542662	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept
	Uninitialized Memory Exposure npm:concat-stream:20160901	No	Mature
	Prototype Pollution npm:hoek:20180212	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:jasmine-core:20180216	Yes	Proof of Concept
	Prototype Pollution npm:lodash:20180130	Yes	No Known Exploit
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	No	Proof of Concept

Commit messages

Package name: grunt

The new version differs by 42 commits.

• 8fcbed1 v1.0.4 ([BUG] Collection secondary content icon alignment issues Dogfalo/materialize#1668)
• 0b13970 Update js-yaml to address https://npmjs.com/advisories/788 (Dropdown hover doesn't work in JS version 0.97 Dogfalo/materialize#1667)
• 7db6cf7 Use SOURCE_DATE_EPOCH to render dates in template. (File input field align error Dogfalo/materialize#1596)
• a2d6d80 Revert "Indicate in package.json that Node.js 4 or newer is required (how to manually close modal? Dogfalo/materialize#1643)" (Remove list style from Collection Header by default. Dogfalo/materialize#1644)
• 773b7e7 Indicate in package.json that Node.js 4 or newer is required (how to manually close modal? Dogfalo/materialize#1643)
• 9ba3a99 1.0.3
• eee4c33 Changelog v1.0.3
• 46da7f2 Merge pull request Having trouble trying to reproduce this tab effect Dogfalo/materialize#1636 from gruntjs/upt
• 00f4d8a Drop support for Node 0.10 and 0.12
• e852727 util update
• 56d702e Update deps
• 0105524 Fix race condition with file.mkdir and make it operate more similarily to mkdir -p (Dropdown on collection limit Dogfalo/materialize#1627) r=@vladikoff
• 303d445 https links (Allow to disable a Tooltip Dogfalo/materialize#1629)
• d969132 Merge pull request Add history/state for tabs Dogfalo/materialize#1624 from gruntjs/rm-bump-deps
• 289ff91 Remove old bump task and deps
• ccc3163 v1.0.2
• e7795dc Remove iojs from test matrix (Multiple images for lightbox? Dogfalo/materialize#1622)
• a6a133b Remove deprecation warning for coffeescript (Range Slider (Forms) doesn't update the current value during slide Dogfalo/materialize#1621) r=@vladikoff
• 06b377e https links to webchat.freenode.net and gruntjs.com (Simple uri bug in parallax template Dogfalo/materialize#1610)
• 7c5242f Use node executable for local grunt bin for Windows support
• f6cbb63 Oh right, Windows isnt bash
• a9a20da Try and debug why appveyor is failing on npm
• 48bba6c Move to the test script to avoid npm was unexpected at this time.
• 6b97ac0 Try to fix appveyor script

See the full diff

Package name: grunt-contrib-jasmine

The new version differs by 20 commits.

• 201bb2a Release v2.0.3
• 9b18221 Upgrade npm dependencies
• d0e2572 fix: build only should pass if the buildSpecrunner runs without error
• 74855ed Update dependencies
• d65dd20 v2.0.2
• d7f652f Fix typo
• 55a5f1f Wait for spec runner before larunching browser
• 408a233 Set the startTime before calling sendMessage
• a30f731 Create new optional 'noSandbox' option to launching Puppeteer with no-sandbox arg.
• a88f31b Launching Puppeteer with no-sandbox arg.
• de29770 v2.0.1
• a71cc54 Use the grunt current working directory to find the jasmine core folder (Wish to clear date field value Dogfalo/materialize#277)
• f3c320c Deals with Code Clean :) Dogfalo/materialize#274 (Select box doesn't render if added dynamically! Dogfalo/materialize#275)
• a21b0b1 Implement options.version (Do a special dropdown for the small devices Dogfalo/materialize#273)
• 7d3dbdc update template usage (Dropdown Hover:false Dogfalo/materialize#272)
• 51feacb Update deps (Does SideNav also work other than on mobile? Dogfalo/materialize#271)
• 02e72f3 Switch from PhantomJS to Chrome Headless via Puppeteer (Input-field class documentation Dogfalo/materialize#269)
• 55594d0 1.2.0
• 5fc2536 Update ci (Add Sidebar Naviagation Dogfalo/materialize#268)
• cc8572c Fix deprecation warning in Node.js 7 (Increased z-index of dropdown menu Dogfalo/materialize#262)

See the full diff

Package name: jasmine

The new version differs by 32 commits.

• 33c5f8c bump version to 3.1
• bdc7ab4 Tell Jasmine-core not to handle load errors itself
• ea0c23e better error reporting when an invalid --reporter is specified
• 74d3e96 bump version to 3.0
• b8cf9aa Merge branch 'master' into 3.0-features
• 353fecc bump version to 2.99
• 4d48e70 ignore package-lock so we always get new versions in CI
• b831ccf Add --fail-fast to help message
• 375b7aa Support stopping jasmine execution on first spec failure
• 9aea4e9 Add ability to pass `--reporter` on the command line
• 76f9fa2 Print full details for suite failures
• 9cda3c3 Version bump to 2.9.0
• 38d5568 Report how to re-run Jasmine with the current seed
• 9af225e Run specs in random order by default
• 1e5a1f6 Merge branch 'master' into 3.0-features
• c3271d2 Use the correct `addMatchers` interface from core
• f55808f Updated node.js versions
• ca8e39b Ignore vim swap files
• a17e3f9 Depend on core 3.0
• 5643389 Added an editorconfig file
• 894f6c3 Treat suites with focused specs as failures
• dcca51c Removed deprecated completion callback from console reporter
• 19ca208 Update dependencies
• 44e28d6 Removed 0.10.x compatibility code

See the full diff

Package name: lint-staged

The new version differs by 11 commits.

• 3d0ccb2 fix(package): Update jest-validate to version 23.0.0 (Wave buttons outline bug in the Firefox Dogfalo/materialize#458)
• a8816f5 ci: Update CI scripts to test against current Node release (Valign not working in Safari Dogfalo/materialize#453)
• 9e27620 fix: Add .lintstagedrc.js to list of config files to search
• a56d7c9 fix(package): Update listr to version 0.14.1 (Added new important class! Dogfalo/materialize#445)
• 2fc7aa3 fix(package): Update cosmiconfig to version 5.0.2 (Correcting the dropdowns positioning bug Dogfalo/materialize#444)
• ec4f4f2 chore: Use npm as script runner (<ol> does not display decoration Dogfalo/materialize#456)
• 9823d26 fix(cli): Correct value for FORCE_COLOR env var (Added a Toast dismiss click handler Dogfalo/materialize#451)
• 1601c02 feat: Chunked execution of linters on Windows only (Fix typo Dogfalo/materialize#439)
• 0924e78 docs: Mention npx mrm lint-staged template (Modal alignment in IE Dogfalo/materialize#438)
• b9d84ce fix: Update "please-upgrade-node" to version 3.0.2 (.active not applied to already-filled inputs Dogfalo/materialize#434)
• 5fba40d docs: Link to AgentConf talk by @okonet (Full Screen Image Slider Dogfalo/materialize#431)

See the full diff

Package name: node-sass

The new version differs by 130 commits.

• b54053a Update changelog
• 01db051 4.13.1
• 338fd7a Merge pull request from GHSA-f6rp-gv58-9cw3
• c6f2e5a doc: README example fix (Button inside carousel is not working Dogfalo/materialize#2787)
• fbc9ff5 Merge pull request How to reduce spacing between two cards Dogfalo/materialize#2754 from saper/no-map-if-not-requested
• 60fad5f 4.13.0
• 43db915 Merge pull request Split forms sass partial in subpartials Dogfalo/materialize#2768 from sass/release-4-13
• 0c8d308 Update references for v4.13 release
• f1cc0d3 Use GCC 6 for Node 12 binaries (checkbox visibility being set to hidden is unnecessary and unhelpful. Dogfalo/materialize#2767)
• 3838eae Use GCC 6 for Node 12 binaries
• e84c6a9 Merge pull request Dropdown - Stop Event Propagation Support Dogfalo/materialize#2766 from saper/node-modules-79
• 64b6f32 Node 13 support
• 8498f70 Fix Added basic tabs test for active tab, clicking tab and scrollable tabs Dogfalo/materialize#2394: sourceMap option should have consistent behaviour
• 8d0acca Merge pull request Missing the cool input and textarea underline effect Dogfalo/materialize#2753 from schwigri/master
• b0d4d85 Fix broken link to NodeJS docs in README.md
• 887199a Merge pull request Cannot put a tooltip on a dropdown <li> Dogfalo/materialize#2730 from kessenich/master
• b1f54d7 Fix On mobile phone screen, div with class 'drag-target' close right part of 'slide-nav' menu Dogfalo/materialize#2614 - Update lodash version
• 96aa279 Merge pull request My Icon Break on Some Device How to Fix this? Dogfalo/materialize#2726 from XhmikosR/master-xmr-typos
• 8421979 Assorted typo fixes.
• 2513e6a chore: Remove PR template
• 7ab387c Merge pull request Scrollfire test Dogfalo/materialize#2673 from abetomo/remove_sudo_setting_from_travis
• 15355dd Remove sudo settings from .travis.yml
• 0c1a49e chore: Add not in PR template about node-gyp 4.0
• e59f5ba chore: Change note about Node 12 support

See the full diff

Package name: phantomjs-prebuilt

The new version differs by 6 commits.

• 0cc1407 Merge pull request ASP.Net MVC Checkbox Dogfalo/materialize#746 from avindra/patch-1
• 2c46265 Dependencies: change tilde to caret
• a98231b Merge pull request Fullscreen Slider Dogfalo/materialize#733 from avindra/patch-1
• 19c6d4c Bump package.json version
• 65b57f7 Merge pull request Syntax Error on navbar.html page Dogfalo/materialize#732 from Ilshidur/patch-1
• cc52482 Dependencies update : fix security issues

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	Prototype Pollution npm:extend:20180424	No Known Exploit
	Prototype Pollution npm:hoek:20180212	No Known Exploit
	Prototype Pollution npm:lodash:20180130	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
	Prototype Override Protection Bypass npm:qs:20170213	No Known Exploit
	Uninitialized Memory Exposure npm:stringstream:20180511	Mature
	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept
	Regular Expression Denial of Service (DoS) npm:uglify-js:20151024	No Known Exploit
	Insecure Randomness npm:ws:20160920	No Known Exploit

Note that some vulnerabilities couldn’t be fully fixed, and so will still fail the Snyk test report.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:

🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic