[Snyk] Fix for 5 vulnerabilities

[saurabharch]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COOKIEJAR-3149984	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: auth0-js

The new version differs by 250 commits.

• 7a40a58 release 9.20.2 (#1299)
• ad6901e chore: update superagent to 7.1.5 (#1296)
• c67e194 Merge pull request #1295 from auth0/dependabot/npm_and_yarn/sideway/formula-3.0.1
• 2564104 Bump @ sideway/formula from 3.0.0 to 3.0.1
• 2fa95ac Merge pull request #1294 from auth0/dependabot/npm_and_yarn/http-cache-semantics-4.1.1
• 09ba38b Bump http-cache-semantics from 4.1.0 to 4.1.1
• 19c6253 fix(docs): document `error()` option for `renderCaptcha()`(#1290)
• 2e75b62 Merge pull request #1289 from auth0/dependabot/npm_and_yarn/cookiejar-2.1.4
• 688b3ee Bump cookiejar from 2.1.3 to 2.1.4
• 73e3ed0 Release v9.20.1 (#1286)
• c367b3f Merge pull request #1285 from auth0/dependabot/npm_and_yarn/json5-1.0.2
• 8a7bc49 Bump json5 from 1.0.1 to 1.0.2
• edec638 Update index.js
• a606cb6 Merge pull request #1282 from auth0/dependabot/npm_and_yarn/jsonwebtoken-9.0.0
• 173ac36 Bump jsonwebtoken from 8.5.1 to 9.0.0
• a05f99e Release v9.20.0 (#1280)
• 05dbf4a Merge pull request #1277 from DominickBattistini/passwordlessCaptcha
• a03f7f4 Merge branch 'master' into passwordlessCaptcha
• 3c1b23d Merge pull request #1279 from auth0/dependabot/npm_and_yarn/decode-uri-component-0.2.2
• 68c6a78 Bump decode-uri-component from 0.2.0 to 0.2.2
• 5fb57ea Add jsdoc for captcha argument on passwordless/start
• bd35c1a getChallenge to passwordless, additional tests
• 0e65fb4 renderPasswordlessChallenge
• de9c54a Release v9.19.2 (#1274)

See the full diff

Package name: css-loader

The new version differs by 136 commits.

• 43179a8 chore(release): 1.0.0
• 3d53968 Merge remote-tracking branch 'origin/master'
• 240db53 version 1.0 (Fixing negative decimal numbers and new user flow. getguesstimate/guesstimate-app#742)
• 1b7acf7 Merge remote-tracking branch 'origin/master'
• 1703721 docs(README): add more context to `localIdentName` (08/06 Release Fixes getguesstimate/guesstimate-app#711)
• 1c51265 docs(README): fix malformed emoji (Fixing calculator bugs. getguesstimate/guesstimate-app#701)
• 50f8ec0 Merge remote-tracking branch 'origin/master'
• 07444ad tests: css custom variables (All instances of a fact handle should be translated. getguesstimate/guesstimate-app#709)
• 3de8aa7 tests: css custom variables (All instances of a fact handle should be translated. getguesstimate/guesstimate-app#709)
• df497db chore(release): 0.28.11
• c788450 fix(lib/processCss): don't check `mode` for `url` handling (`options.modules`) (Space dropdown / fuzzy search getguesstimate/guesstimate-app#698)
• c35d8bd chore(release): 0.28.10
• 9f876d2 fix(getLocalIdent): add `rootContext` support (`webpack >= v4.0.0`) (Fact bank restyling getguesstimate/guesstimate-app#681)
• 0452f26 test: hashes inside `@ font-face` url (The new fact form should reset properly after fact creation. getguesstimate/guesstimate-app#678)
• 630579d chore(release): 0.28.9
• 604bd4b chore(package): update dependencies
• d1d8221 fix: ignore invalid URLs (`url()`) (Refactors and initial fact-bank redux setup getguesstimate/guesstimate-app#663)
• 0fc46c7 chore(release): 0.28.8
• 333a2ce chore(package): update `dependencies`
• 39773aa ci(travis): use `npm`
• 8897d44 fix: proper URL escaping and wrapping (`url()`) (Create compressed calculator view getguesstimate/guesstimate-app#627)
• 0dccfa9 fix(loader): correctly check if source map is `undefined` (Calculator edit form should save correctly getguesstimate/guesstimate-app#641)
• d999f4a docs: Update importLoaders documentation (1. Create /facts store, populate it with facts for Guesstimate org getguesstimate/guesstimate-app#646)
• 05c36db test: removed redundant `modules` argument (We need to send intercom the logged in user id, not the auth0 id. getguesstimate/guesstimate-app#599)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution