[Snyk] Fix for 11 vulnerabilities

[leonardoadame]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • deps/v8/tools/clusterfuzz/js_fuzzer/package.json
  • deps/v8/tools/clusterfuzz/js_fuzzer/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Regular Expression Denial of Service (ReDoS) npm:diff:20180305	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: eslint

The new version differs by 210 commits.

• 3dd6741 7.0.0
• 9a722f9 Build: changelog update for 7.0.0
• b98d8bd Upgrade: eslint-release@2.0.0 (readline: numeric strings converted to integers in cursorTo nodejs/node#13271)
• 4c0b028 Fix: remove Node.js and CommonJS category from build process (async_hooks: fix Promises with later enabled hooks nodejs/node#13242)
• 401a687 Chore: fix rules list for prereleases (. nodejs/node#13230)
• 4ef6158 Breaking: espree@7.0.0 (doc: fix doc styles nodejs/node#13270)
• b5c8d73 Docs: update 7.0.0 migration guide for consistency (small question about cluster. SCHED_RR nodejs/node#13267)
• 356fdb4 Docs: add migration guide (test: add hasCrypto check to test-cli-node-options nodejs/node#12692)
• 015edf6 Sponsors: Sync README with website
• fdfa364 7.0.0-rc.0
• 8d1b4db Build: changelog update for 7.0.0-rc.0
• 0b1d65a Update: Improve report location for array-callback-return (refs net: refactor onSlaveClose in Server.close nodejs/node#12334) (test: shorten test-benchmark-http nodejs/node#13109)
• d85e291 Fix: yoda left string fix for exceptRange (fixes test: favor deepStrictEqual over deepEqual nodejs/node#12883) (tracking issue: full VS2017 support nodejs/node#13052)
• 2ce6bed Chore: added tests for nested arrays (doc: don't use useless constructors in stream.md nodejs/node#13145)
• d3aac53 Update: report backtick loc in no-unexpected-multiline (refs net: refactor onSlaveClose in Server.close nodejs/node#12334) (async_hooks: implement C++ embedder API nodejs/node#13142)
• 8e7a2d9 Fix: func-call-spacing "never" reports wrong message (fixes src: correct endif comment SRC_NODE_API_H__ nodejs/node#13190) (src: add comment for TicketKeyCallback nodejs/node#13193)
• bcafd0f Update: Add ESLint API (refs New: ESLint Class Replacing CLIEngine eslint/rfcs#40) (zlib: expose amount of data read for compression/decompression nodejs/node#12939)
• 3eeae56 Upgrade: some (dev) deps (events: improve performance for emit(), on(), and listeners() nodejs/node#13155)
• 6b7030b Chore: Run tests on Node.js v14 (Date parse behavior change in node-v8 ? nodejs/node#13210)
• ebc28d7 Fix: Remove default .js from --ext CLI option (What does SecureContext::EnableTicketKeyCallback do? nodejs/node#13176)
• 5c1bdeb Update: Improve report location for getter-return (refs net: refactor onSlaveClose in Server.close nodejs/node#12334) (test: refactor event-emitter-check-listener-leaks nodejs/node#13164)
• 56d2bee Docs: fix typos (write EPIPE nodejs/node#13204)
• e13256e Chore: use espree.latestEcmaVersion in config-initializer (gdljuigu nodejs/node#13157)
• e4f57b7 Chore: add nested array tests for array-element-newline (OpenSSL 1.0.2l this week nodejs/node#13161)

See the full diff

Package name: mocha

The new version differs by 250 commits.

• 5f96d51 build(v10.1.0): release
• ed74f16 build(v10.1.0): update CHANGELOG
• 51d4746 chore(devDeps): update 'ESLint' to v8 (Problem with build Node v0.10.x on ARM Linux nodejs/node#4926)
• 4e06a6f fix(browser): increase contrast for replay buttons (Wrong exception reported for throw with toString returning symbol nodejs/node#4912)
• 41567df Support prefers-color-scheme: dark (Shared library issues for nodejs V5.5.0 on Solaris x86 11.2 and 11.3 nodejs/node#4896)
• 61b4b92 fix the regular expression for function `clean` in `utils.js` (Feature Request: get current response headers or unset them alll nodejs/node#4770)
• 77c18d2 chore: use standard 'Promise.allSettled' instead of polyfill (Node crashes when a big sparse array is given to console.log (might cause DoS) nodejs/node#4905)
• 84b2f84 chore(ci): upgrade GH actions to latest versions (Cannot build msi nodejs/node#4899)
• 023f548 build(v10.0.0): release
• 62b1566 build(v10.0.0): update CHANGELOG
• fbe7a24 chore: update dependencies (SNICallback doesn't appear to work with tls.createSecurePair() nodejs/node#4878)
• 2b98521 docs: replace 'git.io' short links (Clarify Buffer hex string error message nodejs/node#4877) [ci skip]
• 007fa65 chore(ci): add Node v18 to test matrix (doc: keep the names in sorted order nodejs/node#4876)
• f6695f0 chore(esm): remove code for Node v12 (src: attach error to stack on displayErrors nodejs/node#4874)
• 59f6192 chore(ci): conditionally skip 'push' event (deps: upgrade to npm 2.14.15 nodejs/node#4872)
• b863359 docs: fix 'fgrep' url (doc: make Buffer documentation styles consistent nodejs/node#4873)
• baaa41a chore(ci): ignore changes to docs files (doc: fix JSON generation for aliased methods nodejs/node#4871)
• ac81cc5 refactor!: drop support of 'growl' notification (doc: make doctool support guides nodejs/node#4866)
• 3946453 chore(deps)!: upgrade 'minimatch' (octane benchmark faults on ppc64le nodejs/node#4865)
• 592905b refactor!: rename 'bin/mocha' to 'bin/mocha.js' (doc: fix nonsensical grammar in Buffer::write nodejs/node#4863)
• b7b849b refactor!: remove deprecated Runner signature (test: fs.link() test runs on same device nodejs/node#4861)
• 0608fa3 chore(site): fix supporters' download (test: fs.link() on same device nodejs/node#4859)
• 785aeb1 chore(test): drop AMD/'requirejs' (OpenSSL upgrades: January 28th 2016 nodejs/node#4857)
• ed640c4 chore(devDeps): upgrade 'coffee-script' (Proposal: canary/next/master release strategy nodejs/node#4856)

See the full diff

Package name: pkg

The new version differs by 142 commits.

• ee8808a 5.0.0
• 08b26a4 Bump to vercel/pkg-fetch@v3.0.3 (deps: upgrade npm to 2.7.1 nodejs/node#1142)
• 211da6e Bump to vercel/pkg-fetch@v3.0.2
• 779adf8 Fix isPublic check for licenses array (Revert stream base nodejs/node#1140)
• 63f4ce0 test: add "node14" to fetch-all
• 6ecd52a Drop references to Node < 8
• 247d1d5 Fix "pkg-fetch" types
• bba8148 Don't mix objects of different types
• 5a97ee2 Cleanup dependencies
• 14fb420 Bump to vercel/pkg-fetch@v3.0.1
• 8756fc1 Support mkdir at mountpoints (tools/update-authors.sh doesn't work on OSX nodejs/node#1120)
• 94cdb69 test: add unit test for [Snyk] Security upgrade gulp from 3.9.1 to 4.0.0 #775 (doc: add Malte-Thorben Bruns to .mailmap nodejs/node#1118)
• 3507e2c Skip pnpm tests when nodeversion is < 12 ( test: fix variables quoated when path has spaces on Windows nodejs/node#1122)
• 6deb812 TypeScript Rewrite ( Failed to load c++ bson extension nodejs/node#1099)
• b7426da Remove coverage badge from README. (Already buffered data when creating a TLSSocket doesn't trigger/throw 'error' nodejs/node#1114)
• d3b9585 Extend ESLint to test files. (doc: move checkServerIdentity option to tls.connect() nodejs/node#1107)
• bbb20b2 Update License Zeit -> Vercel. (doc: Better links for all WGs + sp edits nodejs/node#1113)
• eb8921a Add support for symlink and pnpm. (Release proposal: v1.5.0 nodejs/node#1060)
• 79cca54 feat(parser): handle template literal without expressions (Feature-detect "use regular streams as an underlying socket for tls.connect()" nodejs/node#981)
• 2c1fa89 typo fix in readme (tls_wrap: proxy handle methods in prototype nodejs/node#1108)
• d9dc558 Add section about bytecode flag to README.md (https: certificate validation fails when using servername option nodejs/node#1106)
• c9ad6ff Add Windows builds on CI. (io.js for Raspberry Pi 2? nodejs/node#1105)
• 11b93bf Update all dependencies to latest. (http: send Content-Length when possible nodejs/node#1062)
• cceb78a Update release script. (fs: fix .write() not coercing non-string values nodejs/node#1102)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Injection

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7832dba

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR