[Snyk] Fix for 3 vulnerabilities

[renujankar]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ACORN-559469	No	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	No	No Known Exploit
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-JSONPOINTER-598804	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @snyk/nodejs-runtime-agent

The new version differs by 38 commits.

• 224571c Merge pull request [Snyk] Security upgrade express from 4.12.4 to 4.19.2 snyk/snyk-goof#122 from snyk/snyk-upgrade-b499e5dec6c8943e8e5be3b991567d16
• e03426f fix: upgrade needle from 2.5.2 to 2.6.0
• a51b60b Merge pull request [Snyk] Security upgrade express from 4.12.4 to 4.19.2 snyk/snyk-goof#121 from snyk/snyk-upgrade-1b807b9de1acd5e1c9e71d472d42b551
• dbf7424 fix: upgrade debug from 4.1.1 to 4.3.2
• 93bbf24 Merge pull request [Snyk] Security upgrade snyk from 1.290.2 to 1.996.0 snyk/snyk-goof#119 from antonsamper/master
• 41798c3 chore(package): update engine
• efc27b5 Merge pull request [Snyk-dev] Fix for 110 vulnerabilities snyk/snyk-goof#116 from snyk/snyk-upgrade-d663568433e6c3f41671947a0885bd4b
• 0c70f97 fix: upgrade needle from 2.5.0 to 2.5.2
• 8946c95 Merge pull request [Snyk-dev] Fix for 110 vulnerabilities snyk/snyk-goof#114 from snyk/feat/needle
• ac9aabf feat: upgrade needle (redirect bug)
• ade9436 Merge pull request [Snyk-dev] Fix for 111 vulnerabilities snyk/snyk-goof#111 from snyk/snyk-fix-93368b07b9de27f1dbf0560f8ba14c21
• 4b5269a test: update test fixture to match acorn@5.7.2
• 919477e fix: package.json & package-lock.json to reduce vulnerabilities
• a502cbb Merge pull request [Snyk] Fix for 49 vulnerabilities snyk/snyk-goof#107 from snyk/docs/readme
• dde1526 docs: describe supported Node versions on our README.md
• 83fe936 Merge pull request [Snyk-dev] Fix for 98 vulnerabilities snyk/snyk-goof#103 from snyk/chore/codeowners
• 4b0109f chore: codeowners
• 435f878 Merge pull request [Snyk] Fix for 16 vulnerabilities snyk/snyk-goof#99 from snyk/chore/bumps
• 8ef98c8 test: limit concurrency to 1
• c53384a chore: upgrade tap; js-yaml is no longer
• 50a0844 chore: bump semver
• 391a2c5 chore: low-risk bumps
• 800766c chore: run tests on random port
• 3d90fb9 test: try and close the demo server cleanly

See the full diff

Package name: adm-zip

The new version differs by 84 commits.

• c5aeed4 Incremented version number
• 119dcad Fixed path traversal issue GHSL-2020-198
• 1d22ff6 Merge pull request #341 from 5saviahv/history
• 492d148 added changelog
• dd415ae Incremented version
• 0f011a3 Fixed outFileName
• bc19fee Added extra parameter to extractEntryTo so target filename can be renamed
• 92e9836 Updated dev dependency
• 2b8d9ab Merge pull request #315 from enecciari/work_in_browser
• 4fe58d1 Merge pull request #322 from cthackers/dependabot/npm_and_yarn/lodash-4.17.19
• 49218a4 Merge pull request #327 from kosuke-suzuki/multibyte-comment
• a7e8932 Merge pull request #331 from 5saviahv/master
• 7db0eda modified addLocalFolder method
• e114929 typo
• dc81063 modified addLocalFile method
• bc0f594 Deflate needs min V2.0
• dde4f51 Node v6
• 003d4cf Added ZipCrypto decrypting ability
• 63ed6e2 Detect and throw error with encrypted files
• c64ac14 LICENSE filename in package.json
• 1a334b2 add multibyte-encoded comment with byte length instead of character length
• 96d492a Bump lodash from 4.17.15 to 4.17.19
• b77f380 now it works in browser
• 218feee Merge remote-tracking branch 'upstream/master'

See the full diff

Package name: tap

The new version differs by 250 commits.

• fe8158e 11.1.3
• b17542d Upgrade deps (changing semver requirements)
• bc3ba17 update deps
• bd4de92 Clean up nyc output so Travis passes on node 6
• 2292432 Add hexagonal-lambda to the tap 100 list
• fed62c9 Merge remote-tracking branch 'origin/master'
• 3cdf1c7 11.1.2
• ddf938b Only ship files we want to ship
• 5b5e2ee docs: add unique page titles
• 2323c3b Merge tag 'v11.1.1'
• 95faf6c 11.1.1
• 283c8e6 Handle EPIPE better in exceptional edge cases
• b727234 Fix obscure edge case when this.results is not set
• 1699eb9 process: update docs on the master branch
• ac366a0 docs: fix typo ('heirarchical' -> 'hierarchical')
• 13073a7 docs: correct 100 PR link
• b95ee22 v11.1.0
• fcf70aa Add support for disabling autoend
• 94be0a7 v11.0.1
• 6c3f019 remove badges that are no longer accurate or in use
• ae562a7 don't ignore coverage doc
• 9fcfd52 Migrate docs into main repository
• f189c50 v11.0.0
• 5cde128 Merge branch 'v11'

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Directory Traversal
🦉 Prototype Pollution