[Snyk] Fix for 18 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/protocol/package.json
  • packages/protocol/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept
	554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	No	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MATHJS-1016401	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	No	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Regular Expression Denial of Service (ReDoS) npm:diff:20180305	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: mathjs

The new version differs by 250 commits.

• 2594c69 Publish v7.5.1
• ecb8051 Fix object pollution vulnerability in `math.config`
• a2858e2 Publish v7.5.0
• a72deb3 Update history
• c5ab722 Merge branch 'pickrandom-allow-any-array)' of https://github.com/KonradLinkowski/mathjs into develop
• 7575156 Publish v7.4.0
• 642db06 Update history
• 439ec41 Feat/rotate matrix ([Blockscout] Blockscout should refer to Betanet as Baklava celo-org/celo-monorepo#1984)
• 7854a9b Update history
• a5cbb6a pickRandom - flatten the array
• ca05c25 Allow any array in pickRandom function
• bc4d94b Update history and authors list
• becab40 sqrtm - throw an error for matrices with dimension greater than two (DOCS README add repo structure section celo-org/celo-monorepo#1977)
• f3c4a90 Update history
• 9f06dad floor and cell with precision ([Wallet] Redesigning notification lists celo-org/celo-monorepo#1967)
• 76f6085 Publish v7.3.0
• 73c66b9 Update devDependencies
• f2d7a1b Update history and authors list
• 1d0ce02 Merge remote-tracking branch 'origin/develop' into develop
• f5d843b Binary, octal, and hexadecimal literals and formatting (Fix broken translation (decline, pay) celo-org/celo-monorepo#1968)
• d82fc39 Simplify require url in math_worker example
• 91fa8ea Fix require url in math_worker example
• 18996cb Update devDependencies
• 93ac70a Update history and authors list

See the full diff

Package name: mocha

The new version differs by 250 commits.

• eb781e2 Release v6.2.3
• 10dbe94 update CHANGELOG for v6.2.3 [ci skip]
• 848d6fb security: update mkdirp, yargs, yargs-parser
• 843a322 6.2.2
• aec8b02 update CHANGELOG for v6.2.2 [ci skip]
• 7a8b95a npm audit fixes
• cebddf2 Improve reporter documentation for mocha in browser. ([Web] EventKit  celo-org/celo-monorepo#4026)
• 3f7b987 uncaughtException: report more than one exception per test (“Back” and “Cancel” button both are shown on “Verifying” screen while verifying phone number.  celo-org/celo-monorepo#4033)
• ee82d38 modify alt text of image from Backers to Sponsors inside Sponsors section in Readme (celocli governance:withdraw throws TypeError celo-org/celo-monorepo#4046)
• e9c036c special-case parsing of "require" in unparseNodeArgs(); closes Failed to initialize libusb. WSL Ubuntu 18.04 + docker-toolbox celo-org/celo-monorepo#4035 ([Wallet] Fix e2e tests celo-org/celo-monorepo#4063)
• 954cf0b Fix HTMLCollection iteration to make unhide function work as expected ([PGPNP] Update configs/readme for distributed partners to run signer service celo-org/celo-monorepo#4051)
• 816dc27 uncaughtException: fix double EVENT_RUN_END events (Update dependency versions celo-org/celo-monorepo#4025)
• 9650d3f add OpenJS Foundation logo to website (Major flows (e.g. sending cUSD, onboarding, etc.) analytics is easily accessible celo-org/celo-monorepo#4008)
• f04b81d Adopt the OpenJSF Code of Conduct (EventKit 1 (pre work) celo-org/celo-monorepo#3971)
• aca8895 Add link checking to docs build step (Refactor "getting started" docs to improve security and reliability of the resulting setup celo-org/celo-monorepo#3972)
• ef6c820 Release v6.2.1
• 9524978 updated CHANGELOG for v6.2.1 [ci skip]
• dfdb8b3 Update yargs to v13.3.0 (Improve invitation & redemption experience celo-org/celo-monorepo#3986)
• 18ad1c1 treat '--require esm' as Node option ([Stretch] Remove Stale/unused features celo-org/celo-monorepo#3983)
• fcffd5a Update yargs-unparser to v1.6.0 (Collect Early Feedback celo-org/celo-monorepo#3984)
• ad4860e Remove extraGlobals() (Capital W on Welcome celo-org/celo-monorepo#3970)
• b269ad0 Clarify effect of .skip() (make _activate private because it has a nice accessor already celo-org/celo-monorepo#3947)
• 1e6cf3b Add Matomo to website (Add PGPNP support to iOS celo-org/celo-monorepo#3765)
• 91b3a54 fix style on mochajs.org ( “Gold Activity” page is shown for a while before asking for a security PIN while buying / selling gold from the “Gold” tab. celo-org/celo-monorepo#3886)

See the full diff

Package name: solidity-bytes-utils

The new version differs by 18 commits.

• e93b867 Add deleted set of memory variables accidentally deleted with the last PR to master
• fa2792e Revert version constraints back to `^0.5.0` in order to enhance compatibility
• 425edac Merge branch 'master' into develop
• 7727420 Change truffle config file to always use the right compielr version
• 87e1c28 Add eth lint ([Snyk] Fix for 1 vulnerabilities #30)
• 1b55da7 Revert "Publish to GitHub package manager"
• 0cfd42f Publish to GitHub package manager
• 8f91f5d Merge branch 'master' into develop
• e3d1f68 Fix for new truffle version breaking Codeship CI
• 8183d09 Merge branch 'master' into develop
• 5f91a80 Hotfix for correct EPM deployment
• 0061b62 v0.0.8 - Additional uint typecasting methods ([Snyk] Fix for 1 vulnerabilities #28)
• cd17878 Bump version to 0.0.8
• 541c524 Update dependencies
• de03428 Merge branch 'master' into develop
• db88c30 Fix README with correct example of import from NPM
• 658e88b Implement toUintXX for 64, 96 and 128 bits ([Snyk] Fix for 1 vulnerabilities #25)
• 14ca2bd v0.0.7 - Upgrade to Solidity v0.5.0 ([Snyk] Fix for 1 vulnerabilities #22)

See the full diff

Package name: truffle

The new version differs by 250 commits.

• 90c9f7e Publish
• 8f135ce Update yarn.lock
• 17b997c Merge pull request [web] Celo Timeline celo-org/celo-monorepo#3152 from trufflesuite/gwei
• 53f037e Merge pull request Add Mainnet Timeline to HomePage celo-org/celo-monorepo#3146 from trufflesuite/update-mocha
• 7113313 Update highlightjs-solidity
• 6db3b6a Merge pull request Minor Support Flow Improvements celo-org/celo-monorepo#3150 from trufflesuite/cruz/trufflesuite/web3-provider-engine-15.0.0-2
• 4c81358 Upgrade dependency: @ trufflesuite/web3-provider-engine@15.0.0-2
• c78e34c Merge pull request [Wallet] Fix vertical alignment of text in inputs celo-org/celo-monorepo#3149 from trufflesuite/more-yul-jump-handling
• 9944cc8 Update debugger tests to 0.6.11
• 6714cc8 Fix interaction of phantom guard and jumps into unmapped code
• e5db488 Better format locations with missing source path
• 078ea1e Accept colors as a mocha config field
• 21aa179 Correct typo with color property
• 56feea0 Add color option to the mocha config
• 22f4cdc Leave the debugger package using an older version of Mocha to bump later
• afba441 Remove useColors option for mocha
• 1f5ac1f Remove node 8 from github actions tasks
• 3f19f30 Update travis config
• 6fbd31d Remove call in logger for tests
• 3e55bc7 Update Mocha
• 008497b Merge pull request Add new recommendations to the vscode extensions celo-org/celo-monorepo#3145 from trufflesuite/bug/ethpm-method
• 32fe89a Update @ public to @ external to comply with changes to vyper in version 0.2.0
• df44f8b Add space in vyper command
• 9628aa3 Increase test timeout

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn