[Snyk] Fix for 18 vulnerabilities

[sanyamason]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • app/package.json
  • app/package-lock.json
  • app/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-CHRONONODE-1083228	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-JSZIP-1251497	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-XLSX-1311137	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-XLSX-1311139	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-XLSX-1311141	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-XLSX-585898	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:underscore.string:20170908	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: better-sqlite3

The new version differs by 93 commits.

• fedcca3 7.4.5
• ac4d76a add arm64 prebuilds for alpine (Suggestion feature - Alignment (email writing) Foundry376/Mailspring#714)
• bd2a69e Update `prebuild-install` to `v7.0.0` (Emails of deleted account can't be removed Foundry376/Mailspring#724)
• 6c97553 Add electron `v16` prebuild support
• 1ac101d 7.4.4
• 22c2ab8 reverted mocha version
• 5858f6c Merge branch 'master' of github.com:JoshuaWise/better-sqlite3
• ad9b28e Upgrade depencies (When creating/editing an email make the links clickable only with CTRL+click Foundry376/Mailspring#702)
• 8a70a92 Prebuild for alpine (Copied text appears as white font for receivers Foundry376/Mailspring#641)
• ff15af5 ci: add prebuild for electron 32 bit windows (Unable to Compose Email Foundry376/Mailspring#584)
• 28195b3 added CODEOWNERS
• b433c8a add electron 14 and 15 (Emptying the Spam and trash folders sometimes "sticks" and messages remain Foundry376/Mailspring#705)
• 23c56aa Encapsulate the internal SQLite (Folder Sync with Office 365 is Buggy Foundry376/Mailspring#684)
• 1fa3c77 7.4.3
• b3169ef fixed bug in node 14 where empty buffers are bound as null
• 3467abd 7.4.2
• 4d316a5 added SQLITE_ENABLE_MATH_FUNCTIONS
• d094aac updated tests
• be7770e upgraded to sqlite 3.36
• 115258a fixed typo in docs
• 309708b 7.4.1
• ed3d203 Fixes GLIBC 2.29 issues, electron issues, and more (Where can I find the header of an email? Foundry376/Mailspring#631)
• ea5725b added support for node v16
• a65bec1 improved documentation

See the full diff

Package name: chrono-node

The new version differs by 212 commits.

• 4350642 2.2.4
• 036f7aa New: improve parsing performance by caching complied regex
• 98815b5 Fix: unblounded regex backtracking in timeunit parsing
• 3f294e0 2.2.3
• 16737f5 Fix: Remove internal annotation on the debugging
• 5e9456d 2.2.2
• f9cd773 Update readme document
• 8f395f2 refactor: exclude documentation in master
• ac27496 New: Add typedoc setting
• e047e2e Documentation: Update
• b582ae7 Fix: vague time parsing in strict mode
• f60807e 2.2.1
• bf2ae34 Fix: time expression endding with numbers only
• 3d044ee Add init Typedoc integration
• fbbd996 Merge pull request Activity notifications appear again after reboot Foundry376/Mailspring#373 from JeroenVdb/master
• 911588c Merge pull request Window get resized when we click an item from 'View Activity' list Foundry376/Mailspring#372 from flpvsk/feature/fuzzy-forward-date
• 4f264a9 Make "in|within|for" optional if forwardDate=true
• f47c32c 2.2.0
• 1d949a2 Fix: stop guessing single digit after dot as minute
• 269fa37 remove unsupported
• 5c98948 tests for time units
• a4cedba copy from EN
• da3def8 readd morgend so we dont break
• b0af06f readd morgend so we dont break

See the full diff

Package name: ini

The new version differs by 3 commits.

• 2da9039 1.3.6
• cfea636 better git push script, before publish instead of after
• 56d2805 do not allow invalid hazardous string as section name

See the full diff

Package name: keytar

The new version differs by 47 commits.

• 74f472b 7.1.0
• fb33a40 bump node-abi and downstream packages (Custom themes can't be compiled from 1.0.8 Foundry376/Mailspring#326)
• c4683fb Change binding.gyp to fix napi.h not found error (Linux distribution as a .tar.gzip (gzipped tarball) Foundry376/Mailspring#325)
• bc2ec26 Bump mocha from 8.2.0 to 8.2.1 (Only build quicklook previews for files less than a certain size Foundry376/Mailspring#324)
• c435fe4 add support for building and testing with GitHub Actions ([Feature Request] Ability to move IMAP folders from the left sidebar Foundry376/Mailspring#323)
• 321ea32 Add prebuild Electron for arm64 (Updated urlRegex to fix #269 Foundry376/Mailspring#319)
• 346fdb7 Bump mocha from 8.1.3 to 8.2.0 (Mailspring is not responding Foundry376/Mailspring#313)
• 6fbda33 Bump node-gyp from 7.1.0 to 7.1.2 (Have to delete emails twice for them to actually delete from inbox. Foundry376/Mailspring#312)
• a5162d3 Bump prebuild-install from 5.3.5 to 6.0.0 (Mailspring is not responding Foundry376/Mailspring#314)
• dd67c9b 7.0.0
• 30f769c Drop Electron v5 and v6 support (Use space/shift+space for additional pagedown/pageup Foundry376/Mailspring#311)
• a6ee40c Fix memory leaks on macOS (Unable to install on Ubuntu 16.04: Package libsecret-1-dev is not installed Foundry376/Mailspring#293)
• 13633ed Bump node-addon-api from 3.0.0 to 3.0.2 (Empty Inbox and use of virtual folders Foundry376/Mailspring#309)
• ed8da7b Bump bl from 3.0.0 to 3.0.1 (Libappindicator1 dependency in Fedora Foundry376/Mailspring#306)
• f6def5b add prebuild targets for Electron 10 (SMTP Error when Sending from an Alias Foundry376/Mailspring#307)
• f33fee4 add rust bindings to README (Translated message-store.coffe to es6 and change to display the subject of the current selected email on window title Foundry376/Mailspring#305)
• cdebd3d Bump mocha from 8.1.1 to 8.1.3 (Bug on IMAP account Foundry376/Mailspring#303)
• 4863f43 Bump node-abi from 2.19.0 to 2.19.1 (Emails Disappear From Inbox Foundry376/Mailspring#304)
• 8007791 Bump node-abi from 2.18.0 to 2.19.0 (Buttons with links not clickable in Facebook email Foundry376/Mailspring#301)
• 686e450 Bump node-gyp from 7.0.0 to 7.1.0 (Enabling 2FA on Gmail Breaks Currently Running Instance Foundry376/Mailspring#299)
• 0279477 Bump mocha from 8.1.0 to 8.1.1 (no-drafts-folder Foundry376/Mailspring#298)
• 48e2fc0 Bump prebuild from 10.0.0 to 10.0.1 ("Show original" does not show original  Foundry376/Mailspring#300)
• a3f76de Bump mocha from 8.0.1 to 8.1.0 (Mail send with Mailspring is defined as 'potential threat - phishing' Foundry376/Mailspring#294)
• 1e22685 Bump lodash from 4.17.15 to 4.17.19 (Synchronization problem after update (1.0.6 > 1.0.7) Windows10 Foundry376/Mailspring#289)

See the full diff

Package name: mammoth

The new version differs by 66 commits.

• c97335e Bump version to 1.4.18
• b6ab371 Update JSZip to 3.2.0
• e0bb3d1 Fix versioning in NEWS
• 67142b6 Handle internal hyperlinks created with complex fields
• 2a3c8d6 Fix test name
• eab2eee Convert tab elements to tab characters
• 6f0a685 Add tests for raw text extraction
• 8e88d60 Extract raw-text module
• e82bdbd Bump version to 1.4.17
• 3bc9875 Add update of underscore to NEWS
• ffacc92 Add trailing full stop for consistency
• 9420bb9 Handle w:num with invalid w:abstractNumId
• c2d79f8 Update lop
• 463d0ab Update duck and underscore
• 9c273d0 Bump version to 1.4.16
• a423d1a Convert symbols in supported fonts to corresponding Unicode characters
• f141817 Ensure we don't use null style ID for finding numbering
• 0846021 Bump version to 1.4.15
• 83431a6 Support numbering defined by paragraph style
• 9e7ca2e Mention LibreOffice and Google Docs in README
• 299e9ff Remove .travis.yml
• 9f3a2cf Add GitHub workflow
• 44a022e Bump version to 1.4.14
• f7cfac6 Add style mapping for all caps

See the full diff

Package name: mkdirp

The new version differs by 4 commits.

• b2e7ba0 0.5.2
• c5b97d1 bump minimist to 1.2 to fix security issue
• f2003bb test: add v4 and v5 to travis
• b8629ff tools: update tap + mock-fs. Fix broken test

See the full diff

Package name: rtlcss

The new version differs by 23 commits.

• cd0e5cd 3.0.0
• bd4c099 2.6.2
• 80c15f2 set input source to same file in raw directive
• d6dfd3e 2.6.1
• 4994517 deps - remove String.prototype polluting "colors" deep dep (Participant profile sidebar crashes on adress without display name Foundry376/Mailspring#177)
• ae64631 Update CHANGELOG.md
• 29ce551 2.6.0
• 43d70f3 fix flipping `rotate3d`/enable flipping `rotateY`.
• be838c0 Flip perspective-origin declarations (Badge counter is behind Foundry376/Mailspring#167)
• f5afa82 Fix an issue with empty output when `--silent` and `--stdin` flags are used together. (No instructions on how to edit keymap.json Foundry376/Mailspring#170)
• 16f477b Bump lodash from 4.17.15 to 4.17.19 (sanity check on fix for #92 Foundry376/Mailspring#172)
• a2f9748 use mocha v5
• 77f552b update mocha
• 57b09e5 2.5.0
• 78fd6d3 flip length based `transform-origin` using calc.
• 435a6c8 Closes Opening attachment Foundry376/Mailspring#156
• feb9e9c Update FUNDING.yml
• 1bd11bb Create FUNDING.yml
• 835ca6c rename variable
• c8ff9fe 2.4.1
• fa56182 update dependencies
• 91825cb ignore white spaces before directive prefix
• 3b47539 Should mirror keyword horizontal position (with value) (label displayed by "syncking your mailbox" is garbled. Foundry376/Mailspring#126)

See the full diff

Package name: underscore

The new version differs by 250 commits.

• bf5a0ed Merge branch 'template-variable-parameter'
• 7e3d404 Update annotated sources and minified bundles for 1.12.1
• 5343fbc Add version 1.12.1 to the documentation
• 44df929 Bump the version to 1.12.1
• 7e89b79 Un-document the fix for #2911 for the time being
• 4c73526 Fix #2911
• ef646cc Reflect real issue of #2911 in test from #2912
• a6159ff Fix indentation in the test from #2912
• 798eafa Update the link to the preview release (bugfix)
• 07cc415 Convert all RawGit links to Statically
• db7fb6a Add temporary note about preview release to index.html
• 548fa01 Merge pull request #2913 from ognjenjevremovic/test/time-tampering-tests
• 3a5c878 test: Assertion comment updates; `_.throttle` and `_.debounce`.
• 4d5d198 test: 💍 Time tampering tests for _.throttle and _.deobounce
• a4cc7c0 Add a test to confirm we are not vulnerable to CVE-2021-23337 (#2911)
• 745e9b7 Merge pull request #2896 from anderlaw/master
• af2f919 Correct "Non-numerical values in list will be ignored"
• c9b4b63 Put back test/vendor/qunit.* static files to fix live website tests
• 311b04e Merge pull request #2892 from kritollm/master
• 6568211 Make a comment render more nicely
• 0b93f06 Fixed a few more details
• 913bcf2 Resolved changes requested.
• 769a494 throttle cleanup
• 03f9781 Reimplementing timer optimization Send email sometimes not work Foundry376/Mailspring#1269

See the full diff

Package name: underscore.string

The new version differs by 9 commits.

• 6a65c38 Version 3.3.6
• a1bc91a fixup! Prepare for 3.3.6
• d69c845 Prepare for 3.3.6
• d095c4a Compile dist
• 6cd50d1 Bump version in manifests to current
• acb31a6 Add lock file and pin node.js
• df8dc9e Disable broken eslint rules for now
• 095972b Update deps
• 87ddc29 Release 3.3.5

See the full diff

Package name: xlsx

The new version differs by 89 commits.

• 3542d62 version bump 0.17.0
• 6c5db36 AWS Lambda Binary Media Types
• 59b3dae Tested the MongoDB scripts and fixed them
• e958dbf Refresh server demos
• 1d7aff4 suppress modified test files
• f8c0a86 [Tests] migrate tests to Github Actions
• 58e59dc updates to react demo
• 333deae write and parse ods in mini build (Bug: Dependencies cannot be installed correctly Foundry376/Mailspring#2197)
• 20212e1 version bump 0.16.9: utf-8 codenames
• f7835d6 Add support for outline configuration
• eec93b0 Fixed parsing for first cell in .fods documents
• 6ecfeb6 Added google sheet example
• b0e68a9 Add escape slash to cell matcher
• 9f1ba60 version bump 0.16.8: CRLF in formulae
• b9323c5 Update 78_writebiff.js
• d4cfadb Fix Feature Request: UX ideas from Hey.com Foundry376/Mailspring#2071
• 5985739 Mark generated files as binary
• 542636b Update 80_parseods.js
• 82b7ada version bump 0.16.7
• 0cc6cc9 XLSX verify formula is string (fixes Update CHANGELOG.md Foundry376/Mailspring#1703)
• 2c5a863 Removed null ws return from 90_utils
• 2e32611 version bump 0.16.6: xlfn option
• 3b589f0 XLSX SST treat <si></si> as empty (fixes Bug: Read receipts not working in mailspring Foundry376/Mailspring#2083)
• abed474 whitespace check (fixes Bug: Cant send any email with file included Foundry376/Mailspring#2075)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn