Update micromatch dependency.

[mastermatt]

Fixes: #46

micromatch v3 has multiple security vulnerabilities that were fixed with v4.

Changelog

[mastermatt]

Looks like micromatch dropped support for Node < 8. micromatch/micromatch#160
This lib needs to either do the same or drop the dep.

[doowb]

This update shouldn't be necessary now since we published patched versions of the affected dependencies. Take a look at this short guide on how to ensure you get those latest dependencies.

[mastermatt]

After a full rebuild, I still get these errors:

Prototype Pollution
high severity
Vulnerable module: set-value
Detailed paths
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › set-value@2.0.1
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › union-value@1.0.1 › set-value@2.0.1
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › braces@2.3.2 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › set-value@2.0.1
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › extglob@2.0.4 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › set-value@2.0.1
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › nanomatch@1.2.13 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › set-value@2.0.1
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › braces@2.3.2 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › union-value@1.0.1 › set-value@2.0.1
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › extglob@2.0.4 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › union-value@1.0.1 › set-value@2.0.1
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › nanomatch@1.2.13 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › union-value@1.0.1 › set-value@2.0.1
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › extglob@2.0.4 › expand-brackets@2.1.4 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › set-value@2.0.1
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › extglob@2.0.4 › expand-brackets@2.1.4 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › union-value@1.0.1 › set-value@2.0.1


Prototype Pollution
high severity
Vulnerable module: mixin-deep
Detailed paths
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › snapdragon@0.8.2 › base@0.11.2 › mixin-deep@1.3.2
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › braces@2.3.2 › snapdragon@0.8.2 › base@0.11.2 › mixin-deep@1.3.2
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › extglob@2.0.4 › snapdragon@0.8.2 › base@0.11.2 › mixin-deep@1.3.2
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › nanomatch@1.2.13 › snapdragon@0.8.2 › base@0.11.2 › mixin-deep@1.3.2
- Introduced through: my-app@0.1.0 › knex@0.17.6 › liftoff@3.1.0 › findup-sync@3.0.0 › micromatch@3.1.10 › extglob@2.0.4 › expand-brackets@2.1.4 › snapdragon@0.8.2 › base@0.11.2 › mixin-deep@1.3.2

Can you elaborate on where the patched dependencies were published?

[doowb]

set-value@2.0.1 and mixin-deep@1.3.2 are patched. I just realized that the tools reporting the vulnerabilities need to be updated to include those version ranges.