[Snyk] Fix for 16 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Validation Bypass SNYK-JS-SANITIZEHTML-1070780	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Access Restriction Bypass SNYK-JS-SANITIZEHTML-1070786	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SANITIZEHTML-2957526	Yes	No Known Exploit
	684/1000 Why? Has a fix available, CVSS 9.4	Arbitrary Code Execution SNYK-JS-SANITIZEHTML-585892	Yes	No Known Exploit
	484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) npm:jquery:20150627	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: babel-loader

The new version differs by 218 commits.

• 1a76476 7.0.0
• 7307226 Point changelog to releases
• 174cb10 Merge branch '7.0'
• 2204871 Add prettier (Jetpack Plugins: Give a more specific error message on plugin activation/deactivation/update failures Automattic/wp-calypso#409)
• dbec80d Make sure .babelrc is a file, not a directory (Docs: add "components.md" documentation. Automattic/wp-calypso#427)
• aa485e4 Use bash codecov (Add development badge with a link to DevDocs Automattic/wp-calypso#440)
• 16522b6 yarn.lock
• 660922b Update ava to the latest version 🚀 (Framework: color tabs on Chrome Android using theme-color meta Automattic/wp-calypso#434)
• 5d248b5 Update cross-env to the latest version 🚀 (Signup: move MLB flow to Calypso Automattic/wp-calypso#431)
• 74ff2e6 Updated documentation to match webpack v2 changes. (Notices: Sass @extend directive should not be used inside a @media directive Automattic/wp-calypso#438)
• ed8711d Add note about webpack versions
• a7342de 7.0.0-beta.1
• fb8c271 Merge branch 'fix-options' into 7.0
• 1ed7ff5 Merge branch 'master' into 7.0
• e20f6b6 Changelog for 6.4.1 (Editor: Prevent horizontal scroll on small screen views Automattic/wp-calypso#424)
• 48325ea 6.4.1
• 87e4e85 target node 4 in preset env (Sharing: Connections page not accessible via keyboard Automattic/wp-calypso#423)
• f3241f8 Fixed reset of BABEL_ENV when options.forceEnv is used (Jetpack Plugins: widow on "all plugins up to date" message Automattic/wp-calypso#420)
• 05a31c5 7.0.0-alpha.3
• ad77367 Ensure options are always an object (Jetpack Plugins: Show toggle statuses in Manage view Automattic/wp-calypso#413)
• e8aa302 Ensure options are always an object
• b9209e7 7.0.0-alpha.2
• 3f51915 Update yarn.lock
• c18b16a Fix merge conflict

See the full diff

Package name: express

The new version differs by 250 commits.

• 3d7fce5 4.17.3
• f906371 build: update example dependencies
• 6381bc6 deps: qs@6.9.7
• a007863 deps: body-parser@1.19.2
• e98f584 Revert "build: use minimatch@3.0.4 for Node.js < 4"
• a659137 tests: use strict mode
• a39e409 tests: prevent leaking changes to NODE_ENV
• 82de4de examples: fix path traversal in downloads example
• 12310c5 build: use nyc for test coverage
• 884657d examples: remove bitwise syntax for includes check
• 7511d08 build: use minimatch@3.0.4 for Node.js < 4
• 2585f20 tests: fix test missing assertion
• 9d09762 build: supertest@6.2.2
• 43cc56e build: clean up gitignore
• 1c7bbcc build: Node.js@14.19
• 9cbbc8a deps: cookie@0.4.2
• 6fbc269 pref: remove unnecessary regexp for trust proxy
• 2bc734a deps: accepts@~1.3.8
• 89bb531 docs: fix typo in res.download jsdoc
• 744564f tests: add test for multiple ips in "trust proxy"
• da6cb0e tests: add range tests to res.download
• 00ad5be tests: add more tests for app.request & app.response
• 141914e tests: fix tests that did not bubble errors
• bd4fdfe tests: remove global dependency on should

See the full diff

Package name: html-loader

The new version differs by 79 commits.

• 90c7b60 chore(release): html-loader v0.4.5
• 5e12be4 fix(getOptions): deprecation warn in loaderUtils (People: Implement add new user page Automattic/wp-calypso#114)
• 7c28052 Merge pull request Framework: I can scroll background when modal shows Automattic/wp-calypso#110 from AvraamMavridis/patch-1
• 48df894 Merge pull request New post button changes when searching in page for "p" or "n" Automattic/wp-calypso#111 from michael-ciniawsky/license
• 7967578 docs(LICENSE): relicense to JSF
• 3e09605 update to webpack 2 syntax
• c600df4 chore: update readme, html -> html-loader
• f337b3e Merge pull request Framework: Filter bar height structure is wonky Automattic/wp-calypso#109 from montogeek/patch-1
• 318e70e Fix Maintainer section look
• 557e127 Merge pull request i18n: External link icon should be mirrored in RTL Automattic/wp-calypso#103 from kevinzwhuang/master
• 1ba23b2 Merge pull request Framework: Popover allows placement outside viewport in mobile Automattic/wp-calypso#105 from laland/master
• 84c49eb [export formats] fixes es6 default export
• 2d7d33c Merge pull request [Snyk] Fix for 1 vulnerabilities #100 from pmmenneg/patch-1
• b555e4e Merge pull request Framework: toTitleCase butchers German UTF-8 Automattic/wp-calypso#104 from zhulongzheng/master
• e511e3a Update README.md
• 7fbebd0 Merge pull request [Snyk] Security upgrade cookie from 0.1.2 to 0.7.0 #99 from laland/master
• 25ebe3f Update README to reflect Webpack 2 change to require -loader suffix
• fa9132e fixes formatting issues
• 83d3d51 Minor correction to README config format
• ef00666 adds "exportAsDefault"
• f12aab1 s/Hermanth/Hemanth/g
• 4633a1c Merge pull request [Snyk] Security upgrade express from 4.13.3 to 4.21.0 #97 from laland/master
• 25206b3 [#PR97] updates tests and docs
• 74fcfb3 Merge pull request [Snyk] Security upgrade webpack from 1.12.15 to 5.94.0 #96 from Fire-Dragon-DoL/mention_extract_loader

See the full diff

Package name: imports-loader

The new version differs by 15 commits.

• 3c8b7f2 chore(release): imports-loader v0.7.1
• 2be21e4 ci(Travis): update to contrib standard build ([Snyk] Security upgrade postcss-cli from 2.5.1 to 8.0.0 #42)
• 7129a27 fix(getOptions): deprecation warn in loaderUtils ([Snyk] Security upgrade node-sass from 3.4.2 to 3.7.0 #41)
• 0e14835 Merge pull request [Snyk] Fix for 1 vulnerabilities #40 from webpack-contrib/d3viant0ne-JSFMaintainers
• cac3c87 docs(readme): updates for JSF maintainers
• 1867023 0.7.0
• 7c03b4d add license file
• 6f422ef only include index file in npm package
• 1eb9dbe update source-map dep
• 77fed5b add travis
• d43cecd Support dot notation in variable names ([Snyk] Security upgrade rtlcss from 1.6.1 to 1.7.3 #30)
• 6cdd994 Add -suffix to README examples to reflect Webpack 2 change ([Snyk] Fix for 1 vulnerabilities #34)
• d73e591 Clarify introductory sentences ([Snyk] Security upgrade jquery from 1.11.3 to 3.5.0 #31)
• f682af5 Merge pull request [Snyk] Fix for 2 vulnerabilities #27 from rgbkrk/patch-1
• 97b5305 Add missing brace

See the full diff

Package name: qs

The new version differs by 118 commits.

• 90d9f2b v6.2.4
• ba24e74 [Fix] `parse`: ignore `__proto__` keys (Add a small Calypso banner on top of the HTML Automattic/wp-calypso#428)
• f047c9d [Dev Deps] backport from main
• 5f8e28b [actions] backport actions from main
• 2c38654 [Robustness] `stringify`: avoid relying on a global `undefined` (Docs: add "components.md" documentation. Automattic/wp-calypso#427)
• 37e176d [meta] fix README.md (Me: Updating password unselects Password nav item Automattic/wp-calypso#399)
• 081a3ab [Tests] use `safer-buffer` instead of `Buffer` constructor
• 943e411 [meta] Clean up license text so it’s properly detected as BSD-3-Clause
• 0d82916 [Fix] `utils.merge`: avoid a crash with a null target and an array source
• c103b90 [Fix]` `utils.merge`: avoid a crash with a null target and a truthy non-array source
• 563588d [Refactor] use cached `Array.isArray`
• 39a11bc [Docs] Clarify the need for "arrayLimit" option
• 4c8dcaf [Fix] `utils`: `merge`: fix crash when `source` is a truthy primitive & no options are provided
• 42de207 [Tests] remove nonexistent tape option
• 1b7c83e [meta] add FUNDING.yml
• d828941 [Fix] when `parseArrays` is false, properly handle keys ending in `[]`
• 1fb74cb v6.2.3
• eb2e3a5 [Tests] up to `node` `v7.7`, `v6.10`,` v4.8`; disable osx builds since they block linux builds.
• 1c045ca [Fix] support keys starting with brackets.
• 7d58e13 [Fix] chmod a-x
• 760d0a1 [Fix] follow `allowPrototypes` option during merge
• ff662ec v6.2.2
• 970fb26 remove unnecessary escapes (according to npm test results)
• 50ea161 [Fix] ensure that `allowPrototypes: false` does not ever shadow Object.prototype properties.

See the full diff

Package name: sanitize-html

The new version differs by 250 commits.

• b4682c1 Merge pull request Sites: Suggestion for managing many sites — create folders or categories for sites Automattic/wp-calypso#557 from apostrophecms/release-2.7.1
• b6c4971 release 2.7.1 (with security fix previously tested and approved by Miro)
• 6683aad remove DoS vulnerability
• 7c7ccb4 credit
• 994f962 Merge pull request Purchases: Fix purchase not updated upon privacy protection cancelation Automattic/wp-calypso#555 from paweljq/fix_protocol_relative_script_tag
• 3c3f075 Merge pull request Themes: display theme details inside Calypso instead of redirecting to theme page Automattic/wp-calypso#556 from cha147/patch-1
• 8e3b00f fix typos in readme
• 329dae7 Fix protocol relative url in scripts tags Redirect logged out /discover to Discover site Automattic/wp-calypso#531
• 3cdc262 release 2.7.0 (Added space in README.md Automattic/wp-calypso#534)
• 72989f1 Merge pull request Editor: Contact Form - Basic TinyMCE plugin and create/edit dialog. Automattic/wp-calypso#530 from apostrophecms/zade-credit
• 208cdb4 zade credit
• 7338f8b Merge pull request Editor: Add Markdown support Automattic/wp-calypso#529 from zadeviggers/patch-1
• 1971a57 Update defaults in readme
• 43f28f3 Update changelog
• 5fccedb Allow srcset
• be9c90d Add common image attributes
• 379b55b Bumps version (Devdocs: add welcome page Automattic/wp-calypso#523)
• da9767f Fixes important stripping (Editor: Assign directionality for user RTL preference Automattic/wp-calypso#522)
• d077c9f Merge pull request post-schedule: fix README header Automattic/wp-calypso#521 from alex-rantos/fix-trailing-text
• d905b3b typo on changelog
• 836c5ab add CHANGELOG entry
• c1112fb fix trailing text issue
• d737f39 Bumps version (Help: Replace the old site picker with the new one being developed Automattic/wp-calypso#520)
• e5027ef Merge pull request Help: Show a better loading page for the contact form Automattic/wp-calypso#515 from apostrophecms/revert-505-504-whatwg-url

See the full diff

Package name: superagent

The new version differs by 250 commits.

• fda9b5e v2.0.0
• 2429a1e 2.0.0-alpha.3
• 2ae9281 Catch errors thrown during end event
• 536e9a6 Merge pull request Editor: add preview_URL to post APIs Automattic/wp-calypso#989 from focusaurus/doc-electron-browser
• d0c57f1 document browser version in electron
• b3ef32c Merge pull request Reader: link user's name to their blog Automattic/wp-calypso#981 from visionmedia/pipeevents
• b24ab0b Emit response event when piping
• 8ae7380 Exclude bower.json from npm to avoid generating a confusing package
• 6b0e527 Alpha 2
• b47a011 Backwards compatibility with superagent-mock
• 984fbc6 Merge remote-tracking branch 'origin/headredirects'
• d351b1c Skip redirect test that exposes bug in IE
• 94f6f0a Merge pull request Reader: make "in-stream" comment bubble more useful Automattic/wp-calypso#974 from visionmedia/formserialize
• 6ff9350 Browsers are broken
• 1d8dc66 Localtunnel timeouts
• 61401a7 Fix DISALLOW_FILE_EDIT prevents manage plugins from working Automattic/wp-calypso#669
• 93a1cef Move method
• e302db1 Split test
• 62a077b Reused server for redirect tests
• b29520d Catch assertion errors to report them properly
• d7c3daa Redundant
• 781580f Moved tests
• 4ecd3f0 Serialize nested objects same way as node
• 2097cd2 Lint

See the full diff

Package name: webpack

The new version differs by 250 commits.

• bf4ec9c 3.0.0
• 9feda63 Merge pull request Adjust the drop shadow for the GuidedTours steps to the proper value Automattic/wp-calypso#5028 from webpack/feature/externalize_uglify_plugin
• 49d6e38 Merge pull request Jetpack Connect: Send a email reminder for those users who didn't complete the connection Automattic/wp-calypso#5086 from webpack/ci/node-8
• 3dcb133 OSX test on node.js 8
• f4b8785 Merge pull request Jetpack connect: avoid showing a generic error message Automattic/wp-calypso#5012 from webpack/TheLarkInn-patch-1
• d26c402 chore(deps): upgrade uglifyjs-webpack-plugin deps to get latest webpack-sources so tests pass
• 3da4f3e Merge pull request Plugins: fix google-analytics link Automattic/wp-calypso#5085 from jbellenger/jbellenger/rawmodule-hash
• 8c9dc14 fix RawModule hashing
• c2c5d73 Update README.md
• 316d4b9 Merge pull request Site Deletion: console error after deletion and no confirmation Automattic/wp-calypso#5084 from timse/remove-duplicate-code
• ae18552 update test case with changed hash due to less clutter in dependencies
• fc20348 unite iteration through modules into one loop
• 083843e remove code that pushes arrays of dependencies into dependencies
• ab636b0 Merge pull request Jetpack-connect: Add button to go back to your wp-admin Automattic/wp-calypso#5075 from andreipfeiffer/master
• 3b3449c Refactor: use const for non reassignable identifier
• 2ba0499 3.0.0-rc.2
• 1769fa2 Merge pull request Notices: Make links white instead of blue Automattic/wp-calypso#5064 from webpack/feature/scope-hoisting-multi-entry
• a73646a Merge pull request Jetpack Connect: stale secret Automattic/wp-calypso#5060 from mikesherov/reason-chunks-as-set
• 28f826a consistent order
• 8a30188 use Set for ModuleReason chunk rewriting
• 5d4ba56 Allow scope hoisting to process modules in multiple chunks
• d6a7594 harmony modules without exports have no exports instead of unknown
• 3ae782d Merge pull request Posts: only show no-ads nudge if a site is selected. Automattic/wp-calypso#5049 from KTruong888/ES6_refactoring_multicompiler
• 18cdba8 4099_ES6 refactor lib/MultiCompiler.js

See the full diff

Package name: wpcom

The new version differs by 99 commits.

• 1d279d2 Bump version to 5.4.2
• a2c4b26 Upgrade wpcom-xhr-request to 1.1.2 and reshrinkwrap (Stats: Stats page does not load in Safari, iOS 6. Drop support for iOS 6?  Automattic/wp-calypso#224)
• 58fc193 Fix audit vulnerabilities (Editor: Paste not an option from right-click menu when content area empty Automattic/wp-calypso#223)
• 97f8398 Update qs to ^6 (Purchases: improve feedback when updating payment details Automattic/wp-calypso#221)
• 7be461c Update to debug@3
• 3786104 Merge pull request Standards: CSSTransitionGroup Automattic/wp-calypso#220 from Automattic/update/wpcom-xhr-request
• 6d3177f Update wpcom-xhr-request to 1.1.1 and use a caret version
• 3859658 Merge pull request Upgrades: General: Remove duplicate information from all readme files Automattic/wp-calypso#217 from Automattic/update/browser-fs
• 3002ca2 Add newline to end of file
• 8f77412 remove beta
• d4dd912 updates according to feedback. simplify webpack config
• 893e1d0 fix directory issue
• c65ff02 bump to new major version beta
• 92d9551 throw error if using incorrect args in browser
• 0634613 beta ver bump
• 61af605 Minimize amount of code split between browser and node
• 0c39913 skip another test related to plugins
• b1a19ba skip another failing test...
• 81ed74e skip failing tests
• 3356b9a reference the build version
• c88288d fix filepath
• c5e83a0 update package version to beta
• 7a5bb66 update README
• dfa64de Browser Compatibility: follow standard practices for isomorphic javscript

See the full diff

Package name: wpcom-xhr-request

The new version differs by 31 commits.

• 2c5d870 Release 1.0.0
• e982315 test: add media files
• c16f1a3 test: add POSTs tests
• 5621425 pgk: 1.0.0-beta.4
• 712186a test: add pass `headers` to request test
• b628f50 test: fix nox-passed tests
• f445109 core: refact core using ES2015
• ddaeef4 test: add oauth tests
• abeee01 util: add token stuff
• a7a4ad5 pkg: bump 1.0.0-beta.3
• 23e4c3c core: make a copy of origin req parameters
• 0dd01e7 pkg: update package main file
• 35a356e Readme: update doc file
• 7f3d2c9 make: add `examples` rule
• 86f60b1 test: add REST-API and WP-API tests
• 8b877cc core: handling http envelope mode
• 2408ab2 add circle integration
• f6f34b0 ignore bundle example file
• 9dddfc3 do not rev bundle file
• a63f7b1 pkg: compile in prepublish. Set npm pack files
• 94e2f27 compile bundle only for examples purposes
• bc422aa ignoring build/ folder
• 04e9d80 core: ES6ify
• 99a0eb2 set eslint rules

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn