[Snyk] Security upgrade npm from 5.6.0 to 7.0.0

[Omrisnyk]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • openshift/message-board/message-board-web/package.json
  • openshift/message-board/message-board-web/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00299, Social Trends: No, Days since published: 806, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	61/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00063, Social Trends: No, Days since published: 526, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 1.45, Score Version: V5	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	63/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00231, Social Trends: No, Days since published: 1015, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	239/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00606, Social Trends: No, Days since published: 1015, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 2.43, Score Version: V5	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	151/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01362, Social Trends: No, Days since published: 1609, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	150/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1193, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	149/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00117, Social Trends: No, Days since published: 1760, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.64, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	133/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00317, Social Trends: No, Days since published: 1697, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.2, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	118/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00063, Social Trends: No, Days since published: 255, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.81, Score Version: V5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	118/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00173, Social Trends: No, Days since published: 150, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.81, Score Version: V5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	140/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00121, Social Trends: No, Days since published: 2112, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.48, Score Version: V5	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: npm

• 7.0.0 - 2020-10-13
  

  v7.0.0 (2020-10-12)

  BUG FIXES

  • 7bcdb3636 #1949 fix: ensure publishConfig is passed through (@ nlf)
  • 97978462e fix: patch config.js to remove duplicate vals (@ darcyclarke)

  DOCUMENTATION

  • 60769d757 #1911 docs: v7 npm-install refresh (@ ruyadorno)
  • 08de49042 #1938 docs: v7 using npm config updates (@ ruyadorno)

  DEPENDENCIES

  • 15366a1cf npm-registry-fetch@8.1.5
  • f04a74140 init-package-json@2.0.0
    • 1de21dce0 fix: support dot-separated aliases defined in a .npmrc ini files for init-* configs (@ ruyadorno)
  • a67275cd9 eslint@7.11.0
  • 6fb83b78d hosted-git-info@3.0.6
  • 1ca30cc9b libnpmfund@1.0.0
  • 28a2d2ba4 @ npmcli/arborist@1.0.0
    • npm/rfcs#239 Improve handling of conflicting peerDependencies in transitive dependencies, so that --force will always accept a best effort override, and --strict-peer-deps will fail faster on conflicts.
  • 9306c6833 libnpmfund@1.0.1
  • fafb348ef npm-package-arg@8.1.0
  • 365f2e756 read-package-json@3.0.0
• 7.0.0-rc.4 - 2020-10-09
  

  v7.0.0-rc.4 (2020-10-09)

  • 09b456f2d @ npmcli/config@1.2.1
    • #1919 exposes npm_config_user_agent env variable (@ nlf)
  • e859fba9e #1936 fix npx for non-interactive shells (@ nlf)
  • 9320b8e4f #1906 restore old npx behavior of running existing bins first (@ nlf)
  • 7bd47ca2c @ npmcli/arborist@0.0.33
    • fixed handling of invalid package.json file
  • 02737453b make-fetch-happen@8.0.10
    • do not calculate integrity values of http errors
• 7.0.0-rc.3 - 2020-10-06
  

  v7.0.0-rc.3 (2020-10-06)

  • d816c2efa c8f0d5457 d48086d0d f34595f2e #1902 tests for several commands (@ nlf)
  • 6d49207db #1903 Revert "Remove unused npx binary" (@ MylesBorins)
  • 138dfc202 set executable permissions on bins that node installer uses
  • b06d68078 @ npmcli/arborist@0.0.32
    • Do not remove node_modules folders from Workspaces when loadActual races with buildIdealTree (@ ruyadorno)
  • 2509e3a1b uuid@8.3.1
• 7.0.0-rc.2 - 2020-10-02
  

  v7.0.0-rc.2 (2020-10-02)

  • 6de81a013 @ npmcli/run-script@1.7.2
    • Fix regression running 'install' scripts when package.json does not contain a scripts object
• 7.0.0-rc.1 - 2020-10-02
  

  v7.0.0-rc.1 (2020-10-02)

  • 281a7f39a @ npmcli/arborist@0.0.31
    • Allow npm update to update bundled root dependencies
    • Only do implicit node-gyp build for gyp files named binding.gyp
  • 384f5ec47 update minipass-fetch to fix many 'cb() never called' errors
  • 7b1e75906 @ npmcli/run-script@1.7.1
    • Only do implicit node-gyp build for gyp files named binding.gyp
  • c20e2f0c7 #1892 Support --omit options in npm outdated
• 7.0.0-rc.0 - 2020-10-01
  

  v7.0.0-rc.0 (2020-10-01)

  • 3b417055c #1859 fix proxy and https-proxy config support (@ badeggg)
  • dd7d7a284 @ npmcli/arborist@0.0.30
    • #1849 Do not drop peer/dev dep while saving if both set
    • Do not install or build if there is a global top bin conflict
    • Default to building node-gyp dependencies
  • 40c17e12c cli-table3@0.6.0
  • 47a8ca1d7 byte-size@7.0.0
  • 81073f99a eslint@7.10.0
  • 67793abd4 eslint-plugin-import@2.22.1
  • a27e8d006 is-cidr@4.0.2
  • 893fed45e marked-man@0.7.0
  • bc20e0c8a rimraf@3.0.2
  • a2b8fd3c1 uuid@8.3.0
  • ee4c85b87 write-file-atomic@3.0.3
  • 4bdad5fdf bin-links@2.2.1
  • c394937ec @ npmcli/run-script@1.7.0
    • Default to building node-gyp dependencies and projects
  • remove many unused dependencies (@ ruyadorno)
    • 558e9781a deep-equal
    • 2aa9a1f8a request
    • d77594e52 npm-registry-couchapp
    • 8ec84d9f6 tacks
    • a07b421f7 lincesee
    • 41126e165 npm-cache-filename
    • 130da51b5 npm-registry-mock
    • b355af486 sprintf-js
    • 721c0a873 uid-number
    • 9c920e5f5 umask
    • aae1c38bb config-chain
    • 450845eac find-npm-prefix
    • 963d542d3 has-unicode
    • cad9cbc70 infer-owner
    • 3ae02914d lockfile
    • 7bc474d7c once
    • 5c5e0099a retry
    • cfaddd334 sha
    • 3a978ffc7 slide
• 7.0.0-beta.13 - 2020-09-29
  

  v7.0.0-beta.13 (2020-09-29)

  • 405e051f7 Fix EBADPLATFORM error message (@#1876)
  • e4d911d21 @ npmcli/arborist@0.0.28
    • fix: workspaces install entering an infinite loop
    • Save provided range if not a subset of savePrefix
    • package-lock.json custom indentation
    • Check engine and platform when building ideal tree
  • 90550b2e0 #1853 test coverage and refactor for token command (@ nlf)
  • 2715220c9 #1858 #1813 do not include omitted optional dependencies in install output (@ ruyadorno)
  • e225ddcf8 #1862 #1861 respect depth when running npm ls <pkg> (@ ruyadorno)
  • 2469ae515 #1870 #1780 Add 'fetch-timeout' config (@ isaacs)
  • 52114b75e #1871 fix npm ls for linked dependencies (@ ruyadorno)
  • 9981211c0 #1857 #1703 fix npm outdated parsing invalid specs (@ ruyadorno)
• 7.0.0-beta.12 - 2020-09-22
  

  v7.0.0-beta.12 (2020-09-22)

  • 24f3a5448 #1811 npm ci should never save package.json or lockfile (@ isaacs)
  • 5e780a5f0 remove unused spec parameter, assign error code (@ nlf)
  • f019a248a Remove unused npx binary (@ isaacs)
  • db157b3ce @ npmcli/arborist@0.0.27
    • Resolve race condition with conflicting bin links in local installs
    • #1812 Log engine mismatches more usefully
    • #1814 Do not loop trying to resolve dependencies that fail to load
    • npm/rfcs#224 Do not automatically install optional peer dependencies
    • Add the strictPeerDeps option, defaulting to false
    • fix forwarding configs to resolve pkg spec when adding new deps
  • b3a50d275 #1846 @ npmcli/run-script@1.6.0
    • This updates node-gyp to v7, allowing us to deduplicate a lot of significant dependencies.
  • a1d375f6b #1819 Add --strict-peer-deps option (@ isaacs)
  • 5837a4843 #1699 Use allow/deny list in docs (@ luciomartinez)
• 7.0.0-beta.11 - 2020-09-16
  

  v7.0.0-beta.11 (2020-09-16)

  • 63005f4a9 #1639 npm view should not output extra newline (@ MylesBorins)
  • 3743a42c8 #1750 add outdated tests (@ claudiahdz)
  • 2019abdf1 #1786 add lib/link.js tests (@ ruyadorno)
  • 2f8d11968 @ npmcli/arborist@0.0.25
    • add meta vulnerability calculator for faster audits
    • changed parsing specs to be relative to cwd
    • fix logging script execution
    • fix properly following resolved symlinks
    • fix package.json dependencies order
  • 49b2bf5a7 @ npmcli/config@1.1.8
    • fix unkown envs to be passed through
    • fix setting correct globalPrefix on load
  • f9aac351d libnpmversion@1.0.5
    • fix git ignored lockfiles
• 7.0.0-beta.10 - 2020-09-08
  

  v7.0.0-beta.10 (2020-09-08)

  • 7418970f0 Improve output of dependency node explanations
  • 5e49bdaa3 #1776 Add 'npm explain' command
• 7.0.0-beta.9 - 2020-09-04
• 7.0.0-beta.8 - 2020-09-01
• 7.0.0-beta.7 - 2020-08-25
• 7.0.0-beta.6 - 2020-08-21
• 7.0.0-beta.5 - 2020-08-18
• 7.0.0-beta.4 - 2020-08-11
• 7.0.0-beta.3 - 2020-08-10
• 7.0.0-beta.2 - 2020-08-07
• 7.0.0-beta.1 - 2020-08-05
• 7.0.0-beta.0 - 2020-08-04
• 6.14.18 - 2022-12-21
• 6.14.17 - 2022-04-28
• 6.14.16 - 2022-01-19
• 6.14.15 - 2021-08-24
• 6.14.14 - 2021-07-27
• 6.14.13 - 2021-04-12
• 6.14.12 - 2021-03-25
• 6.14.11 - 2021-01-08
• 6.14.10 - 2020-12-18
• 6.14.9 - 2020-11-20
• 6.14.8 - 2020-08-17
• 6.14.7 - 2020-07-21
• 6.14.6 - 2020-07-07
• 6.14.5 - 2020-05-04
• 6.14.4 - 2020-03-25
• 6.14.3 - 2020-03-19
• 6.14.2 - 2020-03-03
• 6.14.1 - 2020-02-27
• 6.14.0 - 2020-02-25
• 6.13.7 - 2020-01-28
• 6.13.6 - 2020-01-09
• 6.13.5 - 2020-01-09
• 6.13.4 - 2019-12-11
• 6.13.3 - 2019-12-10
• 6.13.2 - 2019-12-03
• 6.13.1 - 2019-11-18
• 6.13.0 - 2019-11-05
• 6.12.1 - 2019-10-29
• 6.12.0 - 2019-10-08
• 6.12.0-next.0 - 2019-09-26
• 6.11.3 - 2019-09-03
• 6.11.2 - 2019-08-22
• 6.11.1 - 2019-08-21
• 6.11.0 - 2019-08-20
• 6.10.3 - 2019-08-06
• 6.10.2 - 2019-07-23
• 6.10.2-next.3 - 2019-07-22
• 6.10.2-next.2 - 2019-07-21
• 6.10.2-next.1 - 2019-07-17
• 6.10.2-next.0 - 2019-07-16
• 6.10.1 - 2019-07-11
• 6.10.1-next.2 - 2019-07-10
• 6.10.1-next.1 - 2019-07-03
• 6.10.1-next.0 - 2019-07-03
• 6.10.0 - 2019-07-03
• 6.10.0-next.0 - 2019-07-01
• 6.9.2 - 2019-06-27
• 6.9.1-next.0 - 2019-03-20
• 6.9.0 - 2019-03-06
• 6.9.0-next.0 - 2019-02-21
• 6.8.0 - 2019-02-13
• 6.8.0-next.2 - 2019-02-07
• 6.8.0-next.1 - 2019-02-06
• 6.8.0-next.0 - 2019-01-31
• 6.7.0 - 2019-01-23
• 6.6.0 - 2019-01-17
• 6.6.0-next.1 - 2019-01-10
• 6.6.0-next.0 - 2018-12-12
• 6.5.0 - 2018-12-10
• 6.5.0-next.0 - 2018-11-28
• 6.4.1 - 2018-08-29
• 6.4.1-next.0 - 2018-08-23
• 6.4.0 - 2018-08-15
• 6.4.0-next.0 - 2018-08-09
• 6.3.0 - 2018-08-02
• 6.3.0-next.0 - 2018-07-25
• 6.2.0 - 2018-07-14
• 6.2.0-next.1 - 2018-07-05
• 6.2.0-next.0 - 2018-06-29
• 6.1.0 - 2018-05-24
• 6.1.0-next.0 - 2018-05-17
• 6.0.1 - 2018-05-10
• 6.0.1-next.0 - 2018-05-04
• 6.0.0 - 2018-04-24
• 6.0.0-next.2 - 2018-04-21
• 6.0.0-next.1 - 2018-04-13
• 6.0.0-next.0 - 2018-03-23
• 5.10.0 - 2018-05-11
• 5.10.0-next.1 - 2018-05-07
• 5.10.0-next.0 - 2018-04-13
• 5.9.0-next.0 - 2018-03-23
• 5.8.0 - 2018-03-23
• 5.8.0-next.0 - 2018-03-13
• 5.7.1 - 2018-02-22
• 5.7.0 - 2018-02-21
• 5.6.0 - 2017-11-28

from npm GitHub release notes

Commit messages

Package name: npm

The new version differs by 250 commits.

• 3b4ba65 7.0.0
• bbfc75d chore: fix weird .gitignore thing that happened somehow
• 8a2d375 docs: changelog for v7.0.0
• 365f2e7 read-package-json@3.0.0
• fafb348 npm-package-arg@8.1.0
• 9306c68 libnpmfund@1.0.1
• 569cd64 libnpmfund@1.0.0
• ac9fde7 Integration code for @ npmcli/arborist@1.0.0
• 704b9cd @ npmcli/arborist@1.0.0
• 3955bb9 hosted-git-info@3.0.6
• da240ef fix: patch config.js to remove duplicate values
• 9ae45a8 init-package-json@2.0.0
• 41ab36d eslint@7.11.0
• c474a15 npm-registry-fetch@8.1.5
• efc6786 fix: make sure publishConfig is passed through
• 1e4e6e9 docs: v7 using npm config refresh
• 5c1c2da fix: init config aliases
• 5bc7eb2 docs: v7 npm-install refresh
• 1a35d87 7.0.0-rc.4
• 7a5a557 docs: changelog for v7.0.0-rc.4
• f0cf859 chore: dedupe deps
• 0273745 make-fetch-happen@8.0.10
• 7bd47ca @ npmcli/arborist@0.0.33
• 9320b8e only escape arguments, not the command name

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn