[Snyk] Fix for 21 vulnerabilities

[bumplzz69]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary File Overwrite SNYK-JS-BINLINKS-537608	No	Proof of Concept
	451/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 2.6	Unauthorized File Access SNYK-JS-BINLINKS-537609	No	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary File Write SNYK-JS-BINLINKS-537610	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Insertion of Sensitive Information into Log File SNYK-JS-NPMREGISTRYFETCH-575432	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NPMUSERVALIDATE-1019352	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	Yes	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept
	434/1000 Why? Has a fix available, CVSS 4.4	Time of Check Time of Use (TOCTOU) npm:chownr:20180731	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: bin-links

The new version differs by 14 commits.

• f315830 chore(release): 1.1.6
• 642cd18 fix: prevent improper clobbering of man/bin links
• bc69419 update travis
• 52e6525 chore(release): 1.1.5
• b3cfd2e fix: don't filter out ./ man references
• 181e36d github settings
• fe39e10 chore(release): 1.1.4
• 25a34f9 fix: sanitize and validate bin and man link targets
• 02bb9e1 chore(deps): add npm-normalize-package-bin module
• 24324d3 chore(release): 1.1.3
• 5640f35 deps: cmd-shim@3.0.0
• cfd146b test: updating CI config to match current Node LTS
• 67351fa deps: bump devDeps
• 9d4127b deps: bump deps

See the full diff

Package name: chownr

The new version differs by 9 commits.

• 76c21fa 1.1.0
• e8f0dc7 auto-publish scripts
• b196e0e add tests for old readdir support
• e06dd8a Avoid unnecessary stats on node v10.10 and above
• 36a93e3 use lchown to address part 1 of TOCTOU issue
• a631d84 use lchown instead of chown, if available
• cdd4ce7 use modern JavaScript
• d548650 update tap
• 924de1e update travis

See the full diff

Package name: cli-columns

The new version differs by 4 commits.

• 89eaa84 drop travis and coveralls from readme
• 5da2489 upgrade deps, drop heavy dev deps, github actions, node 10+
• b9e986b Update readme.md
• ed6df24 Update copyright info

See the full diff

Package name: columnify

The new version differs by 34 commits.

• a532ca1 Release 1.6.0
• 92fdab6 Clean up readme badges, update stats.
• a350bf2 Add npm cache to CI.
• aae8411 Actually install & test in CI.
• b2fe72f Use github actions.
• 4b54106 Update node version in travis.yml.
• c820951 Update packages.
• 10ea59d Update packages.
• e768ed8 Revert "Merge pull request readable-stream@3.0.2 npm/cli#59 from njhoffman/master"
• 1cf9287 Merge pull request readable-stream@3.0.2 npm/cli#59 from njhoffman/master
• 091ddb0 Merge pull request Docs: mention --otp flag when prompting for OTP npm/cli#60 from sreekanth370/master
• bece43f Merge pull request Canary npm/cli#49 from tdmalone/patch-1
• 4b72760 Merge branch 'master' into master
• e7c082a Merge pull request Set lowercase headers for NPM audit requests npm/cli#62 from viceice/patch-1
• db4ee97 chore: bump version
• 0bd797f chore: require node v8
• ea15deb fix: update strip-ansi to v6.0.1
• 33c942e compatibility updates
• 5cb6515 fixed transipiling errors
• a27ddb8 version bump
• 95d9a8e extract strip-ansi dependency
• 4895ec1 version bump
• 64c77f5 version bump
• 1d3ef4b add modules key and main eky to package.json

See the full diff

Package name: hosted-git-info

The new version differs by 43 commits.

• 8d4b369 chore(release): 2.8.9
• 29adfe5 fix: backport regex fix from install: fix install checks for optional/dev dependencies npm/cli#76
• afeaefd chore(release): 2.8.8
• 5038b18 fix: replace update-notifier npm/cli#61 & config: support default user on IBM i npm/cli#65 addressing issues w/ url.URL implmentation which regressed node 6 support
• 7440afa chore(release): 2.8.7
• 2d0bb66 fix: Do not attempt to use url.URL when unavailable
• f2cdfcf fix: Do not pass scp-style URLs to the WhatWG url.URL
• e1b83df chore(release): 2.8.6
• ff259a6 Ensure passwords in hosted Git URLs are correctly escaped
• 624fd6f chore(release): 2.8.5
• e8325b5 fix: updated pathmatch for gitlab
• 4e4ea0f test: added script to get coverage report
• 4eb69eb test: removed unused testing structure
• ba44d9f test: moved all github url tests together
• 8d24551 test: added refactered tests for bitbucket
• 1fd9d66 test: added ignore; for 100% testing (this seems wonky)
• 921e6dd test: added basic test for ._fill() method
• ffe056f fix: updated pathmatch for gitlab
• 53364f9 test: added refactered tests for gists
• 888f9b4 test: added default fixtures and github specific fixtures
• 3d1ad71 chore(release): 2.8.4
• 2070453 chore: add npm dist-tag for legacy publishes
• f392f82 use var instead of let/const for ancient nodes
• cbf63b7 chore(release): 2.8.3

See the full diff

Package name: ini

The new version differs by 3 commits.

• 2da9039 1.3.6
• cfea636 better git push script, before publish instead of after
• 56d2805 do not allow invalid hazardous string as section name

See the full diff

Package name: libnpx

The new version differs by 15 commits.

• 84eeb54 chore(release): 10.2.4
• 7a03da5 test: patch child.js test
• 122ed5c deps: update yargs
• fa6a282 chore(release): 10.2.3
• 7d90a71 chore: update project settings, remove weall* stuff
• 26a8394 chore(release): 10.2.2
• e0eb3cb fix: install latest npm on travis for node 6
• e8b4a7e chore: put node 6 back in travis set
• 9a23db1 fix: correct Kat's github url
• 3733137 fix: Update changelog to fix old issue links
• 3192e0f v10.2.1
• 40df81c fix: point repo at proper git remote
• 43d68c8 fix: spurious test failure
• f51a8d3 travis: only test on supported node versions
• b7c8b9f fix(platform): drop node 4 and 7, add 9 and 10

See the full diff

Package name: mkdirp

The new version differs by 4 commits.

• b2e7ba0 0.5.2
• c5b97d1 bump minimist to 1.2 to fix security issue
• f2003bb test: add v4 and v5 to travis
• b8629ff tools: update tap + mock-fs. Fix broken test

See the full diff

Package name: node-gyp

The new version differs by 250 commits.

• f5fa6b8 chore: release 8.4.1
• cc37b88 fix: windows command missing space ([BUG] peer-dependency conflict when having "greater than or equal to" range >= npm/cli#2553)
• 8083f6b deps: npmlog@6.0.0
• 787cf7f docs: fix typo in powershell node-gyp update
• 7073c65 chore: release 8.4.0
• a27dc08 feat: build with config.gypi from node headers
• 5a00387 feat: support vs2022 ([BUG] <title>npm ERR! cb() never called! npm/cli#2533)
• fb85fb2 chore: release 8.3.0
• 5585792 feat(gyp): update gyp to v0.10.0 ([BUG] missing docs around package-lock.json inside the /node_modules/ dir npm/cli#2521)
• b05b4fe chore(deps): bump make-fetch-happen from 8.0.14 to 9.1.0
• 0a67dcd test: Python 3.10 was release on Oct. 4th ([BUG] npm install --force fails for peerOptional conflicts npm/cli#2504)
• f2ad87f chore: refactor the creation of config.gypi file
• bc47cd6 chore: release 8.2.0
• ed9a9ed feat(gyp): update gyp to v0.9.6 ([BUG] <title>Unable to add my password npm/cli#2481)
• 660dd7b doc: correct link to "binding.gyp files out in the wild" ([BUG] shows outdated support contact npm/cli#2483)
• ec15a3e chore(deps): bump tar from 6.1.0 to 6.1.2 (fix(docs): clean up npm unpublish docs npm/cli#2474)
• 78361b3 ISSUE_TEMPLATE.md: Instructions for old versions (V6 npm/cli#2470)
• f0882b1 fix: missing spaces
• c8c0af7 fix: doc how to update node-gyp independently from npm
• b6e1cc7 Add title to node-gyp version document ([BUG] Broken link in npm v7 series beta re. $npm_package_* environment variables (now gone) npm/cli#2452)
• b7bccdb ci: GitHub Actions Test on node: [12.x, 14.x, 16.x] ([BUG] User-defined run script overwritten by shell command npm/cli#2439)
• 161c235 doc(wiki): safer doc names, remove unnecessary TypedArray doc
• b52e487 doc(wiki): link to docs/ from README
• f0a4835 doc(wiki): move wiki docs into doc/

See the full diff

Package name: npm-lifecycle

The new version differs by 7 commits.

• cf5f5ca chore(release): 2.1.1
• dbbfe27 deps: bump deps to fix security advisories
• e96f550 deps: update node-gyp to v4.0.0
• f6cef1c chore: update CI for current Node LTS
• c137ac7 deps: bump devDeps
• 62c07d3 deps: bump deps
• 220cd70 fix(test): update postinstall script for fixture

See the full diff

Package name: npm-registry-fetch

The new version differs by 61 commits.

• 62ce833 chore(release): 4.0.5
• 43a5d84 chore: remove basic auth data from logs
• 71ab0e7 chore(release): 4.0.4
• fc5d94c Put default timeout back to zero
• 2e0c446 chore(release): 4.0.3
• d7d8c58 chore: publish as latest-v4
• 69c2977 fix: use 30s default for timeout as per README
• fe7b129 chore(doc): document the effect of ?write=true on caching
• ba8b4fe fix: always bypass cache when ?write=true
• b758555 chore(release): 4.0.2
• e3a0186 fix: Add null check on body on 401 errors
• ff5f990 test(check-response): Added missing tests
• 49059f0 chore(release): 4.0.1
• 8eae5f0 fix(deps): Add explicit dependency on safe-buffer
• 5dbd1d7 chore(release): 4.0.0
• 0c4f060 cacache@12.0.0, infer uid from cache folder
• 4b62980 chore(release): 3.9.1
• 7878bbe deps: make-fetch-happen@4.0.2
• e064215 deps: lru-cache@5.1.1
• 4491843 chore(release): 3.9.0
• a91f90c feat(auth): support username:password encoded legacy _auth
• fc0e119 chore(release): 3.8.0
• 0600986 feat(mapJson): add support for passing in json stream mapper
• 9eb0095 chore(release): 3.7.0

See the full diff

Package name: npm-user-validate

The new version differs by 2 commits.

• 5c5471c 1.0.1
• c8a87da fix: update email validation

See the full diff

Package name: npmlog

The new version differs by 7 commits.

• 15366fb 5.0.0
• d81ce11 docs: changelog for v5.0.0
• e420957 BREAKING CHANGE: update deps, lint, test coverage (ci summary: change console.error for console.log npm/cli#79)
• f0454b0 deps: bump tap
• c989a1c chore: update CI for current Node LTS
• 5414070 Appease standard
• c9ed17d package-lock@1

See the full diff

Package name: ssri

The new version differs by 5 commits.

• b7c8c7c chore(release): 6.0.2
• b30dfdb fix: backport regex change from 8.0.1
• a4337cd chore(release): 6.0.1
• cf86553 fix(opts): use figgy-pudding to specify consumed opts
• 97b032d deps: npm6ify pkglock

See the full diff

Package name: tar

The new version differs by 59 commits.

• 3e35515 4.4.18
• 52b09e3 fix: prevent path escape using drive-relative paths
• bb93ba2 fix: reserve paths properly for unicode, windows
• 2f1bca0 fix: prune dirCache properly for unicode, windows
• 9bf70a8 4.4.17
• 6aafff0 fix: skip extract if linkpath is stripped entirely
• 5c5059a fix: reserve paths case-insensitively
• fd6accb 4.4.16
• 53cea6e tests: run (and pass) on windows
• 166cfc0 fix: refactoring to pass tests on Windows
• ce5148e fix: refactoring to pass tests on Windows
• 3f2e2da fix: normalize paths on Windows systems
• e29a665 fix: properly prefix hard links
• fd2a38d chore: WriteEntry cleaner write() handling
• 7b2acc5 update deps
• 83bb22c WriteEntry backpressure
• 0dcc5b2 chore: track fs state on WriteEntry class, not in arguments
• adf3511 Avoid an unlikely but theoretically possible redos
• d688cad fix: properly handle top-level files when using strip
• ea6f254 unpack: keep path reservations longer
• b2a97e1 Address unpack race conditions using path reservations
• f0fe3aa basic path reservation system
• 843c897 4.4.15
• 46fe350 Remove paths from dirCache when no longer dirs

See the full diff

Package name: update-notifier

The new version differs by 42 commits.

• 311557e 6.0.0
• 9183541 Require Node.js 14 and move to ESM
• 3fdb218 5.1.0
• 73c391b Upgrade dependencies
• 0a6027e Move to GitHub Actions
• d8fa601 Rename `master` branch to `main`
• f63b2eb 5.0.1
• 9e2b772 Update dependencies
• da7c464 5.0.0
• 5b440c2 Require Node.js 10
• 3dfe42d Don't suggest to upgrade to lower version (Clarify usage of bundledDependencies npm/cli#192)
• 132b7ce Remove a project from "Users" section (Canary npm/cli#191)
• c9d2166 4.1.1
• f42fc8f Improve vertical alignment of the notifier output (licensee@7.0.1 npm/cli#183)
• 71a3f19 Use HTTPS links
• 64c5236 Fix Travis
• 9d9f4ff 4.1.0
• 4062f12 Update dependencies
• adbeb6e Add template support for the `message` option (token: fix otp for create and remove npm/cli#175)
• adf7803 4.0.0
• fb5161c Remove the `callback` option (stars: Fix typo in error message npm/cli#158)
• 39682de Rename `boxenOpts` option to `boxenOptions`
• bc1721a Avoid showing notification if current version is the latest (Ask to make an issue if there is an error npm/cli#174)
• ccaf686 Update dependencies

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	626/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.1	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Arbitrary File Write
🦉 Arbitrary File Write
🦉 More lessons are available in Snyk Learn