[Snyk] Fix for 1 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • deps/npm/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: init-package-json

The new version differs by 21 commits.

• 1703339 2.0.1
• a99f769 npm-package-arg@8.1.0
• 434ecd4 read-package-json@3.0.0
• 5ac9b2a 2.0.0
• 6396ea8 chore: changelog for v2.0.0
• f4c67c5 BREAKING: requires node10+
• 35b18fc chore: update to auto-bump on npm version system
• 786e88b chore: bump transitive deps
• 32012d9 validate-npm-package-license@3.0.4
• 5deeae9 npm-package-arg@8.0.1
• 56477ed read-package-json@2.1.2
• 68f5b77 semver@7.3.2
• 6b865ec rimraf@3.0.2
• 9a05ee4 chore: remove standard-version dev dep
• 16c52cb test: removes dev dep in npm
• c0ace81 fix: accounts dot vs dash version/license config
• b20020b mkdirp@1.0.4
• 4c22248 tap@14.10.8
• 3e772e9 Updated package-lock to v2
• 2b5d21e chore: updating package-lock.json
• 8515942 chore: update CI for current Node LTS

See the full diff

Package name: licensee

The new version differs by 70 commits.

• 42aae52 9.0.0
• d84d74d Add caniuse-lite to .licensee.json
• 9e45b0f tap@16.3.0
• ed793f5 semver@7.3.7
• 12b20b5 9.0.0-pre.1
• 608f5c1 @ blueoak/list@9.0.0
• acc80c3 git rm package-lock.json
• e79776f Merge pull request [Snyk] Security upgrade mocha from 5.2.0 to 10.1.0 #77 from jslicense/arborist
• b9e0ce6 Use tree.package.name instead of tree.name
• 53bd8b2 Fix incorrect Arborist API call
• 3117239 Refactor
• 30b2cab Fix logic error
• 64bde16 Use rimraf in unit test
• 9ea181c Call arborist.loadActual with forceActual: true
• 44a9993 @ npmcli/arborist@5.6.0
• c7cead1 Test on more newer Node.js versions
• 30e2fd4 Add unit test to Tape invocation list
• 2ae6b8b Remove npm install errors test
• 6e763fe Clobber .package-lock.json files
• cf535d2 Replace old fs.rmdir call
• ba52ba4 Remove console.log call
• fddc8c6 WIP
• 2dd7044 Configure GitHub to test on Node 12 and above
• 3e3288d WIP

See the full diff

Package name: node-gyp

The new version differs by 97 commits.

• 33affe2 v7.0.0: bump version and update changelog
• ba4f34b doc: update catalina xcode clt download link
• f7bfce9 doc: update acid test and introduce curl|bash test script
• 4937722 deps: replace mkdirp with {recursive} mkdir
• a6b76a8 gyp: update gyp to 0.2.1
• e529f33 doc: update README to reflect upgrade to gyp-next
• ebc34ec gyp: update gyp to 0.2.0
• 9aed628 doc: give more attention to Catalina issues doc
• 963f2a7 doc: improve cataline discoverability for search engines
• d45438a deps: update deps, match to npm@7
• 5f47b7a v5.1.1: bump version and update changelog
• c255ffb lib: drop "-2" flag for "py.exe" launcher
• 741ab09 test: remove support for EOL versions of Node.js
• 6356117 doc, bin: stop suggesting opening node-gyp issues
• 7b75af3 doc: add macOS Catalina software update info
• 4f23c7b doc: update link to the code of conduct (Memory leak in setInterval + console.log + process.memoryUsage nodejs/node#2073)
• 473cfa2 doc: note in README that Python 3.8 is supported (tools: update eslint and re-enable comma-spacing rule nodejs/node#2072)
• e18a61a build: shrink bloated addon binaries on windows
• ca86ef2 test: bump actions/checkout from v1 to v2
• e7402b4 doc: update catalina xcode cli tools download link (Prototype bleeding in events.js nodejs/node#2044)
• 972780b gyp: sync code base with nodejs repo (build: headers tarball target nodejs/node#1975)
• dab0305 v5.1.0: bump version and update changelog
• 35de459 doc: update catalina xcode cli tools download link; formatting
• 4864219 doc: add download link for Command Line Tools for Xcode

See the full diff

Package name: normalize-package-data

The new version differs by 10 commits.

• e584704 3.0.0
• 6899b0c fix: broken tests w/ latest hosted-git-info
• 40d07df hosted-git-info@3.0.6
• e938119 chore: update engines
• 7e70f63 resolve@1.17.0
• 0ba7f91 semver@7.3.2
• 30afb71 chore: remove async dev dep
• db9c672 tap@14.10.8
• cc89759 chore: remove underscore dev dep
• b224ba1 chore: update to package-lock v2

See the full diff

Package name: npm-install-checks

The new version differs by 13 commits.

• 9b68df3 4.0.0
• d498feb allow engine if npm version not specified
• f9cc89a update travis to only include live nodes
• 0fc0126 auto-publish scripts
• ca36bca update changelog for v4
• a0d38b4 update docs for v4
• 44b7124 Simplified functionality needed for npm v7
• 1646fd7 remove unnecessary deps and metadata
• d74d479 chore: project settings
• d4463a3 chore(deps): update semver, tap, standard
• 89937d4 minimal package
• 893b181 fix: allow pre-release versions of npm and node
• ab92033 chore: bump version of semver package

See the full diff

Package name: npm-package-arg

The new version differs by 8 commits.

• 26ffdd5 chore(release): 8.0.0
• 17598ad chore: normalize settings, license, and update standard-version
• ba85e68 drop support for node 6 and 8
• 2c06e53 update tap
• 9434f79 chore: update semver to v7
• bf86221 chore(release): 7.0.0
• 68a4fc3 deps: bump hosted-git-info to 3.0.2
• ee44e84 chore: update deps

See the full diff

Package name: npm-pick-manifest

The new version differs by 12 commits.

• 3c8cb5d chore(release): 5.0.0
• dc2e61c chore: normalize settings, drop old nodes, update deps
• 661ba9d chore: bump version of semver package
• 405d00b chore(release): 4.0.0
• 42c76d8 deps: bump npm-package-arg to v7
• 8e66272 chore(release): 3.0.2
• 420fb8c chore: update repo links
• 543da7c chore(release): 3.0.1
• 003286e fix: throw 403 for forbidden major/minor versions
• ed0fc29 chore(release): 3.0.0
• 6ab64fd chore: remove node 4.0 from travis
• ad2a962 feat: throw forbidden error when package is blocked by policy

See the full diff

Package name: npm-registry-fetch

The new version differs by 21 commits.

• d370dba chore(release): 6.0.0
• 8c6622f chore: make-fetch-happen 7.1.0
• 5813da6 fix: detect CI so our tests don't fail in CI
• 3de1695 chore: replace nyc config with tap config
• e18ed22 chore: bump make-fetch-happen to v7
• 62f81a2 chore: bump ssri to v7
• 8ccfa8a fix: Use WhatWG URLs instead of url.parse
• 510b125 chore: normalize settings, drop old nodes, update deps
• 622afb4 chore(release): 5.0.1
• 7aa14fd deps: update all deps
• 5764c15 deps: npm-package-arg@7
• 786f092 chore(release): 5.0.0
• 41ff216 chore: update travis config
• 39e5cfe doc: fix badge url
• 97c1208 chore: update tap, improve offline/prefer-offline tests
• 82abf26 chore: Add missing tests and clean up dead code
• 90ac7b1 fix: prefer const in getAuth function
• e64702e fix: use minizlib instead of core zlib
• 5cfe30b test: add string query example to test
• e7286f7 fix!: Use native Promises
• bb37f20 feat: refactor to use Minipass streams

See the full diff

Package name: pacote

The new version differs by 115 commits.

• e88f844 10.3.0
• b21dd92 update semver
• d8ab8cf update npm-packlist
• 361f0b3 update tap
• c4bbf23 test: make the remote timeout test time out forever
• b4ea91f npm-registry-fetch 6.0.0
• 591edd8 @ npmcli/installed-package-contents@1.0.5
• 5ce1093 test: make remote timeout test more reliably time out
• 48fc9b8 use WhatWG URL instead of url.parse
• e515bce Update deps, float patch for npm-registry-fetch
• cf50f54 update @ npmcli/installed-package-contents, require node >=10
• 698e996 Extract: rimraf dir contents, not dir itself
• e568305 add @ npmcli/installed-package-contents module
• e8a80d7 upgrade all deps
• dfccb4f remove extraneous isNaN checking in git opts
• e33c9ce 10.2.1
• bad55cd fix: Do not drop perms in git when not root
• ccc9e20 bin: only add log listener once
• 8a8cd6a 10.2.0
• e8c274c registry: verify integrity when loading manifest
• f28888e bin: Only JSON.stringify by default if an object
• 0018eda 10.1.6
• fc1053f git: prefer git+https over git+ssh for hosted repo
• 9d2ce90 10.1.5

See the full diff

Package name: read-package-json

The new version differs by 8 commits.

• 9f7049d chore(release): 3.0.0
• 19d9fbe fix: check-in updated lockfile
• eef46fa chore: add engines definition
• 36b7ef7 chore: remove old .travis.yml envs
• b3a8831 globa@7.1.6
• fb3ceae json-parse-even-better-errors@2.3.1
• 78add03 npm-normalize-package-bin@1.0.1
• 7595d70 normalize-package-data@3.0.0

See the full diff

Package name: semver

The new version differs by 168 commits.

• e7b78de chore: release 7.5.2
• 58c791f fix: diff when detecting major change from prerelease (doc: alphabetize all.markdown nodejs/node#566)
• 5c8efbc fix: preserve build in raw after inc (io.js TC Meeting 2015-01-28 nodejs/node#565)
• 717534e fix: better handling of whitespace (stream: use nop as write() callback if omitted nodejs/node#564)
• 2f738e9 chore: bump @ npmcli/template-oss from 4.14.1 to 4.15.1 (SyntaxError: Unexpected reserved word nodejs/node#558)
• aa016a6 chore: release 7.5.1
• d30d25a fix: show type on invalid semver error (deps: fix v8 armv6 run-time detection nodejs/node#559)
• 09c69e2 chore: bump @ npmcli/template-oss from 4.13.0 to 4.14.1 (deps: upgrade v8 to 4.1.0.12 nodejs/node#555)
• 5b02ad7 chore: release 7.5.0
• e219bb4 fix: throw on bad version with correct error message (doc: dns.lookupService has wrong header level nodejs/node#552)
• 503a4e5 feat: allow identifierBase to be false (Function redefinition in vm.runInContext nodejs/node#548)
• fc2f3df fix: incorrect results from diff sometimes with prerelease versions (docs: remove incorrect entry from changelog nodejs/node#546)
• 2781767 fix: avoid re-instantiating SemVer during diff compare (gulp runs in error nodejs/node#547)
• 82aa7f6 chore: release 7.4.0
• 731d896 chore: enable CD (docs: more explicit crypto.pseudoRandomBytes information nodejs/node#545)
• 940723d fix: intersects with v0.0.0 and v0.0.0-0 (src: s/node/io.js/ in iojs --help message nodejs/node#538)
• aa516b5 fix: faster parse options (Buffer api for conversion from/to ArrayBuffer nodejs/node#535)
• 61e6ea1 fix: faster cache key factory for range ("uid must be an unsigned int" on io.js 1.0.3 (x64) on 64-bit Windows 8.1 nodejs/node#536)
• f8b8b61 fix: optimistic parse (lib: use const to define constants nodejs/node#541)
• 796cbe2 fix: semver.diff prerelease to release recognition (WIP events: optimize emit() nodejs/node#533)
• 3f222b1 fix: reuse comparators on subset (Embed io.js in a C++ 3d game engine? nodejs/node#537)
• 113f513 feat: identifierBase parameter for .inc (MariaSQL will not install  nodejs/node#532)
• ea689bc chore: basic type test for RELEASE_TYPES
• c5d29df docs: Add "Constants" section to README

See the full diff

Package name: standard

The new version differs by 250 commits.

• 866a666 package metadata
• 34a39d2 update authors
• 5a63a03 15.0.0
• 36cbcd8 changelog
• ab0e7a5 update deps
• 3d0ea44 eslint-config-standard-jsx 9.0.0
• 8c0513a eslint-config-standard 15.0.0
• c8c255c changelog
• 1af9b8a use "Indonesian" since it's the language name
• c0fd567 remove sponsor link
• b926ce2 remove spammy standard user link
• 1cc9df7 changelog
• 8e06e4f hallmark 3
• e4c002a bump deps
• 8bdade1 Merge pull request module: add syntax check before wrap origin script nodejs/node#1516 from pikadun/patch-1
• 0c27f99 Merge pull request remove -J from test-ci and fix test-net-dns-custom-lookup nodejs/node#1544 from yoga1234/master
• 59b03fb Merge pull request parallel/test-tls-server-verify is awfully slow on Windows nodejs/node#1461 from munierujp/update_japanese_docs
• fd72454 Merge pull request generate.js doc tool produces incomplete json nodejs/node#1545 from logustra/add-jublia-to-users
• 1de7656 Merge pull request Can't extend encoding by hack Buffer.isEncoding anymore nodejs/node#1547 from kidonng/patch-1
• 6558034 add 14.3.4 changelog
• e1fa03e Update eslint to 7.11.0
• 4a0e8b0 changelog
• 4a84e61 remove weird whitespace
• 523f004 Merge pull request segmentation fault for buffer.copy() with no args nodejs/node#1519 from standard/eslint7

See the full diff

Package name: tap

The new version differs by 250 commits.

• bc49fb7 15.0.0
• 4378608 remove publishConfig beta tag
• 2c2e75f provide mkdirRecursive polyfill for old node versions
• 8f4c855 correctly specify 10.0.x versions
• 5e61672 update deps
• c44c418 Support 10.0 and test in CI
• dc5c841 tcompare@5.0.4
• 385b6d2 Add .taprc.yml/yaml handling to change log
• 4f87466 just run regular test script as snap script
• 315a921 delete FORCE_COLOR/NO_COLOR rather than setting to '0'
• 564e96f Add detection for .yaml and .yml
• 75bae93 update cli doc
• c1289bf 15.0.0-3
• d6fe32f Do not CI on node 10
• d2e0428 do not use equals() alias in self-test
• 3f787c4 tell npm to be colorful in CI
• 1512818 run tests with color on github actions
• 4626fa1 Docs: update documentation for tap v15
• 02d536b libtap@1.0.1
• f7c7c58 update cli doc
• 2aa497c 15.0.0-2
• 8d7f62e Add support for overriding libtap's internal settings
• 29eed63 new snapshot folder layout
• 3a28d4d update libtap git ref to isaacs/tap-v15-prep branch

See the full diff

Package name: update-notifier

The new version differs by 42 commits.

• 311557e 6.0.0
• 9183541 Require Node.js 14 and move to ESM
• 3fdb218 5.1.0
• 73c391b Upgrade dependencies
• 0a6027e Move to GitHub Actions
• d8fa601 Rename `master` branch to `main`
• f63b2eb 5.0.1
• 9e2b772 Update dependencies
• da7c464 5.0.0
• 5b440c2 Require Node.js 10
• 3dfe42d Don't suggest to upgrade to lower version (node-forward/node deactivation nodejs/node#192)
• 132b7ce Remove a project from "Users" section (doc: util: document --trace-deprecation nodejs/node#191)
• c9d2166 4.1.1
• f42fc8f Improve vertical alignment of the notifier output (What branch/version and which of the contributing guides to use? nodejs/node#183)
• 71a3f19 Use HTTPS links
• 64c5236 Fix Travis
• 9d9f4ff 4.1.0
• 4062f12 Update dependencies
• adbeb6e Add template support for the `message` option (debugger: improve clearBreakpoint error and docs nodejs/node#175)
• adf7803 4.0.0
• fb5161c Remove the `callback` option (RFC: bundle tick processor with iojs nodejs/node#158)
• 39682de Rename `boxenOpts` option to `boxenOptions`
• bc1721a Avoid showing notification if current version is the latest (lib,src: remove post-gc event infrastructure nodejs/node#174)
• ccaf686 Update dependencies

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Network access	http-proxy-agent	4.0.1	Module: tls Location: dist/agent.js	deps/npm/package.json via libnpmaccess@4.0.3, libnpmhook@6.0.3, libnpmorg@2.0.3, libnpmsearch@3.1.2, libnpmteam@2.0.4, npm-profile@5.0.4
Network access	http-proxy-agent	5.0.0	Module: tls Location: dist/agent.js	deps/npm/package.json via licensee@9.0.0
Network access	http2-wrapper	2.2.0	Module: tls Location: source/agent.js	deps/npm/package.json via update-notifier@6.0.2
Network access	https-proxy-agent	5.0.1	Module: tls Location: dist/agent.js	deps/npm/package.json via libnpmaccess@4.0.3, libnpmhook@6.0.3, libnpmorg@2.0.3, libnpmsearch@3.1.2, libnpmteam@2.0.4, licensee@9.0.0, npm-profile@5.0.4
Network access	resolve-alpn	1.2.1	Module: tls Location: index.js	deps/npm/package.json via update-notifier@6.0.2
Network access	socks-proxy-agent	6.2.1	Module: tls Location: dist/index.js	deps/npm/package.json via libnpmaccess@4.0.3, libnpmhook@6.0.3, libnpmorg@2.0.3, libnpmsearch@3.1.2, libnpmteam@2.0.4, npm-profile@5.0.4
Network access	socks-proxy-agent	7.0.0	Module: tls Location: dist/index.js	deps/npm/package.json via licensee@9.0.0
Network access	tap	15.2.3	Module: tls Location: node_modules/ws/lib/sender.js	deps/npm/package.json via tap@15.2.3
Network access	@npmcli/arborist	5.6.3	Module: globalThis["fetch"] Location: lib/audit-report.js	deps/npm/package.json via licensee@9.0.0
Network access	minipass-fetch	1.4.1	Module: globalThis["fetch"] Location: lib/index.js	deps/npm/package.json via libnpmaccess@4.0.3, libnpmhook@6.0.3, libnpmorg@2.0.3, libnpmsearch@3.1.2, libnpmteam@2.0.4, npm-profile@5.0.4, npm-registry-fetch@6.0.2, pacote@10.3.2
Network access	minipass-fetch	2.1.2	Module: globalThis["fetch"] Location: lib/index.js	deps/npm/package.json via licensee@9.0.0
Network access	make-fetch-happen	10.2.1	Module: https Location: lib/agent.js	deps/npm/package.json via licensee@9.0.0
Network access	make-fetch-happen	7.1.1	Module: https Location: agent.js	deps/npm/package.json via npm-registry-fetch@6.0.2, pacote@10.3.2
Network access	make-fetch-happen	9.1.0	Module: https Location: lib/agent.js	deps/npm/package.json via libnpmaccess@4.0.3, libnpmhook@6.0.3, libnpmorg@2.0.3, libnpmsearch@3.1.2, libnpmteam@2.0.4, npm-profile@5.0.4
Network access	agentkeepalive	4.3.0	Module: http Location: lib/agent.js	deps/npm/package.json via libnpmaccess@4.0.3, libnpmhook@6.0.3, libnpmorg@2.0.3, libnpmsearch@3.1.2, libnpmteam@2.0.4, licensee@9.0.0, npm-profile@5.0.4, npm-registry-fetch@6.0.2, pacote@10.3.2

Next steps

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore http-proxy-agent@4.0.1
• @SocketSecurity ignore http-proxy-agent@5.0.0
• @SocketSecurity ignore http2-wrapper@2.2.0
• @SocketSecurity ignore https-proxy-agent@5.0.1
• @SocketSecurity ignore resolve-alpn@1.2.1
• @SocketSecurity ignore socks-proxy-agent@6.2.1
• @SocketSecurity ignore socks-proxy-agent@7.0.0
• @SocketSecurity ignore tap@15.2.3
• @SocketSecurity ignore @npmcli/arborist@5.6.3
• @SocketSecurity ignore minipass-fetch@1.4.1
• @SocketSecurity ignore minipass-fetch@2.1.2
• @SocketSecurity ignore make-fetch-happen@10.2.1
• @SocketSecurity ignore make-fetch-happen@7.1.1
• @SocketSecurity ignore make-fetch-happen@9.1.0
• @SocketSecurity ignore agentkeepalive@4.3.0

[socket-security]

New and updated dependency changes detected. Learn more about Socket for GitHub ↗︎

Packages		Version	New capabilities	Transitives1	Size	Publisher
npm-profile	🆕	5.0.4	eval, network	+39	1.32 MB	nlf
libnpmhook	🆕	6.0.3	eval, network	+39	1.3 MB	gar
npm-package-arg	🆕	8.1.5	environment	+0	16.6 kB	isaacs
libnpmorg	🆕	2.0.3	eval, network	+39	1.3 MB	gar
pacote	🆕	10.3.2	eval, filesystem, environment	+34	1.13 MB	isaacs
libnpmaccess	🆕	4.0.3	eval, network	+39	1.33 MB	gar
libnpmsearch	🆕	3.1.2	eval, network	+39	1.3 MB	nlf
libnpmteam	🆕	2.0.4	eval, network	+39	1.3 MB	nlf
npm-registry-fetch	🆕	6.0.2	eval	+28	988 kB	isaacs
ini	🆕	2.0.0	None	+0	9.47 kB	isaacs
node-gyp	🆕	7.1.2	None	+13	2.34 MB	rvagg
read-package-json	🆕	3.0.1	None	+0	19.9 kB	isaacs
mkdirp	🆕	1.0.4	environment	+0	19.1 kB	isaacs
update-notifier	🆕	6.0.2	network, environment	+69	1.59 MB	sindresorhus
tap	⬆️	12.7.0...15.2.3	eval, network, filesystem	+77/-35	59.4 MB	isaacs
init-package-json	⬆️	1.10.3...2.0.5	None	+2/-0	53 kB	gar
npm-pick-manifest	⬆️	2.2.3...5.0.0	None	+1/-0	30.6 kB	isaacs
npm-install-checks	⬆️	3.0.2...4.0.0	None	+0/-0	5.17 kB	isaacs
licensee	⬆️	7.0.3...9.0.0	eval, network, shell	+96/-3	2.99 MB	kemitchell
standard	⬆️	11.0.1...15.0.1	None	+57/-27	8.99 MB	feross

Footnotes

1. https://docs.socket.dev ↩