[Snyk] Fix for 41 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-BOOTSTRAP-173700	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-BOOTSTRAP-72889	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-BOOTSTRAP-72890	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JQUERY-174006	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	No Known Exploit
	434/1000 Why? Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	No Known Exploit
	550/1000 Why? Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-535499	Yes	No Known Exploit
	630/1000 Why? Has a fix available, CVSS 8.1	Out-of-bounds Read SNYK-JS-NODESASS-535501	Yes	No Known Exploit
	600/1000 Why? Has a fix available, CVSS 7.5	Uncontrolled Recursion SNYK-JS-NODESASS-535503	Yes	No Known Exploit
	550/1000 Why? Has a fix available, CVSS 6.5	Resource Exhaustion SNYK-JS-NODESASS-535504	Yes	No Known Exploit
	665/1000 Why? Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-535505	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Uncontrolled Recursion SNYK-JS-NODESASS-540960	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Out-of-bounds Read SNYK-JS-NODESASS-540962	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Improper Input Validation SNYK-JS-NODESASS-540966	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Improper Input Validation SNYK-JS-NODESASS-540968	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Uncontrolled Recursion SNYK-JS-NODESASS-540970	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Out-of-bounds Read SNYK-JS-NODESASS-540972	Yes	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	NULL Pointer Dereference SNYK-JS-NODESASS-540974	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-NODESASS-540982	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Out-of-bounds Read SNYK-JS-NODESASS-540984	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Out-of-bounds Read SNYK-JS-NODESASS-540986	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-NODESASS-540988	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-NODESASS-542662	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:bootstrap:20160627	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:bootstrap:20180529	No	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) npm:jquery:20150627	No	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: bootstrap

The new version differs by 250 commits.

• 68b0d23 Dist
• 2ccfa57 handle # selector for dropdown
• a43077d Bump version to 3.4.1.
• d821de2 Backport sanitize docs from v4.
• 5cd9ef4 Add wdm gem for Windows.
• d6b8501 ES5 fixes.
• 2c8abb9 Add sanitize for tooltips and popovers html content.
• d4129df Bump year.
• 0d64d6a less/modals.less: Add missing semicolon.
• 48c5d7b Use https.
• b23e213 Update devDependencies and gems.
• 695c541 Fix redirects.
• 9206e46 Make meaning of tooltip's 'selector' option more clear in Bootstrap 3
• b285ea3 Add a few redirects.
• 3e1b894 Fix broken link in nav version dropdown.
• 3e519c3 Support nuget contentFiles, used for some project types (#27856)
• 4c547f2 Dist.
• 0f1c6b0 Move the whole autoprefixer config to configBridge.json.
• 9332f3c Add polyfills for older browsers.
• dd71b40 docs: Concat the IE files with the rest.
• 4a5c7f2 Update devDependencies, gems and lots of cleanup/build fixes.
• 7a2cdfb Center skippy.
• 3b82587 Restore `cursor: help` for `abbr`.
• bf69f1f Backport the `abbr` fix from the updated normalize.css.

See the full diff

Package name: copy-webpack-plugin

The new version differs by 18 commits.

• 2359cba 2.0.0
• 7b068cb Set up travis-ci
• d276d12 Fixed patterns with absolute to
• 06dbd9f Only include modified files w/ option to disable
• f0ff942 Fix tests
• c067554 Fix linting
• efab319 Add webpack-dev-server support
• 117c4da Enforce forward slash separators for compilation.assets
• 0ec5b3f Use glob options in from and copy to non-root dir
• 31e4115 4 space => 2 space indents
• 642c0ab Update code style.
• ad25776 No need to include the ./node_modules/.bin path
• 173d405 Merge pull request [Snyk] Security upgrade extract-text-webpack-plugin from 1.0.1 to 2.0.0 #23 from adamsxm/master
• dba5f76 Merge pull request [Snyk] Upgrade web3 from 1.3.6 to 1.4.0 #20 from gajus/issue-14
• f1ecdfe Merge pull request [Snyk] Security upgrade web3 from 1.3.5 to 1.3.6 #19 from gajus/issue-13
• e8aa028 Support lodash v4.0.0
• 10efaee Deletegate responsibility of change detection to write-file-webpack-plugin (fixes [Snyk] Upgrade bootstrap-webpack from 0.0.5 to 0.0.6 #14)
• 8971971 Paths need to be relative to the output path, not the context. (fixes [Snyk] Upgrade react-router from 1.0.1 to 1.0.3 #13)

See the full diff

Package name: css-loader

The new version differs by 136 commits.

• 43179a8 chore(release): 1.0.0
• 3d53968 Merge remote-tracking branch 'origin/master'
• 240db53 version 1.0 (#742)
• 1b7acf7 Merge remote-tracking branch 'origin/master'
• 1703721 docs(README): add more context to `localIdentName` (#711)
• 1c51265 docs(README): fix malformed emoji (#701)
• 50f8ec0 Merge remote-tracking branch 'origin/master'
• 07444ad tests: css custom variables (#709)
• 3de8aa7 tests: css custom variables (#709)
• df497db chore(release): 0.28.11
• c788450 fix(lib/processCss): don't check `mode` for `url` handling (`options.modules`) (#698)
• c35d8bd chore(release): 0.28.10
• 9f876d2 fix(getLocalIdent): add `rootContext` support (`webpack >= v4.0.0`) (#681)
• 0452f26 test: hashes inside `@ font-face` url (#678)
• 630579d chore(release): 0.28.9
• 604bd4b chore(package): update dependencies
• d1d8221 fix: ignore invalid URLs (`url()`) (#663)
• 0fc46c7 chore(release): 0.28.8
• 333a2ce chore(package): update `dependencies`
• 39773aa ci(travis): use `npm`
• 8897d44 fix: proper URL escaping and wrapping (`url()`) (#627)
• 0dccfa9 fix(loader): correctly check if source map is `undefined` (#641)
• d999f4a docs: Update importLoaders documentation (#646)
• 05c36db test: removed redundant `modules` argument (#599)

See the full diff

Package name: history

The new version differs by 35 commits.

• 702db62 Version 1.14.0
• 990b853 Merge pull request #168 from taion/doc-141
• a9db75a Deprecate pushState and replaceState
• 50420f9 Document the new push and replace syntax
• 0a1b31a Merge pull request #171 from rackt/query-string
• d0edd09 Use query-string instead of qs
• 331ee28 Merge pull request #167 from taion/hash-replace
• 32a3978 Consider the full path in changing PUSH to REPLACE
• ce96689 Merge pull request #141 from taion/push-replace-location-object
• 9a5a378 Merge pull request #156 from taion/actually-fix-coverage
• 969463f Configure the coverage reporter
• 4ab16f3 Merge pull request #155 from rackt/taion-patch-1
• d88948f Clean up the last of the old push/replace docs
• e2c9860 Merge pull request #152 from taion/build-es6
• 07b8013 Add ES2015 module build
• 2688abe Merge pull request #151 from taion/clean-lib
• b1cf2fa Merge pull request #150 from taion/linkify-CHANGES-HEAD
• a6aac12 Clean output directory when building
• 23353fe Link to HEAD diffs on CHANGES
• ede110f Merge pull request #147 from taion/CriOS-fixme
• 7f28fcb Merge pull request #148 from taion/eslint-mocha
• 7bb2867 Centralize eslint env setting
• b98fc54 Add FIXME note to CriOS workaround
• ae05e84 Update CHANGES.md

See the full diff

Package name: node-sass

The new version differs by 234 commits.

• b54053a Update changelog
• 01db051 4.13.1
• 338fd7a Merge pull request from GHSA-f6rp-gv58-9cw3
• c6f2e5a doc: README example fix (#2787)
• fbc9ff5 Merge pull request #2754 from saper/no-map-if-not-requested
• 60fad5f 4.13.0
• 43db915 Merge pull request #2768 from sass/release-4-13
• 0c8d308 Update references for v4.13 release
• f1cc0d3 Use GCC 6 for Node 12 binaries (#2767)
• 3838eae Use GCC 6 for Node 12 binaries
• e84c6a9 Merge pull request #2766 from saper/node-modules-79
• 64b6f32 Node 13 support
• 8498f70 Fix #2394: sourceMap option should have consistent behaviour
• 8d0acca Merge pull request #2753 from schwigri/master
• b0d4d85 Fix broken link to NodeJS docs in README.md
• 887199a Merge pull request #2730 from kessenich/master
• b1f54d7 Fix #2614 - Update lodash version
• 96aa279 Merge pull request #2726 from XhmikosR/master-xmr-typos
• 8421979 Assorted typo fixes.
• 2513e6a chore: Remove PR template
• 7ab387c Merge pull request #2673 from abetomo/remove_sudo_setting_from_travis
• 15355dd Remove sudo settings from .travis.yml
• 0c1a49e chore: Add not in PR template about node-gyp 4.0
• e59f5ba chore: Change note about Node 12 support

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 4be093d 2.2.0
• 2278469 2.2.0-rc.8
• b946eb4 Merge pull request #3988 from malstoun/bug/2664
• 260e413 Merge pull request #3986 from webpack/bugfix/revert_use_of_buffer_dot_from
• 0ec7de9 Fix regression with watch cli opt, add tests for this case
• 72226db add missing disable line
• 4d30675 build fresh yarn.lock file to remove buffer polyfill
• 91c1f35 fix(node): rollback changes of Buffer.from to new Buffer() and bump down travis to 4.3 min node v
• 0b47602 2.2.0-rc.7
• db6ccbc Merge pull request #3978 from webpack/bugfix/conditional-reexports
• 82a5b03 Merge pull request #3977 from malstoun/bug/2664
• fc1a43b Merge pull request #3976 from timse/rely-on-defaults
• a44694a hoist exports declarations too
• 682bde8 Fix lint
• c6d7d90 Add tests
• af8d49e remove defaults values to shave a few bytes
• 9796696 2.2.0-rc.6
• e9bdb05 Merge pull request #3971 from webpack/bugfix/fix_available_vars_in_fmtp
• bd45bdc add test case for global in harmony modules
• bfccb20 fix PR
• 5a3a23f fix(nmf): Fix exports for var injection to include free glob exports or arguments
• 437dce4 2.2.0-rc.5
• 91cb1df Merge pull request #3970 from webpack/ci/appveyor
• 9fd55e5 Merge pull request #3969 from webpack/bugfix/issue-3964

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic