[Snyk] Fix for 1 vulnerabilities

[ebarahona]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LODASH-6139239	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browser-sync

The new version differs by 74 commits.

• 8c28e8c 2.24.7
• 9e96603 fix: scroll - add missing init method for window.name method of scroll restoring - fixes #1586 #1457 #1457
• 48286e0 fix: proxy Port gets unnecesarily rewritten in Proxy - fixes #1577
• a6578a3 deps: [email protected] [email protected] [email protected]
• ef6bfa5 Merge pull request #1582 from strarsis/patch-1
• 7c0a65c 2.24.6
• 15c838e docs: updated cwd, watch & callbacks inline documentation
• bb7bef1 Merge pull request #1584 from adamzerella/issue/Add-docs-for-cwd
• e41ccea Added doc note for cwd
• b6ba0dd Update opn to latest release
• ef0f947 2.24.5
• fda88b1 Merge pull request #1572 from BrowserSync/audit
• a89336b ci: don't run coverage
• 123551b deps: bump mocha + add `--exit` flag
• 90e7306 fix: TypeError when watchOptions.ignored is not an array - fixes #1563
• dd70eba deps: update following npm audit - fixes #1559
• 19359cc 2.24.4
• a6d39e6 fix: Remote Debug tools do not work - fixes #1556
• f89aa04 2.24.3
• 80d5ed3 Merge pull request #1555 from BrowserSync/bugs/1553
• 3073d61 Merge pull request #1554 from BrowserSync/bugs/1543
• cc5118c fix: Don’t always add "defaultIgnorePatterns" - fixes #1543
• 1153845 fix: handle windows-style paths on the client - fixes #1553
• af79226 2.24.2

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-iconfont-css

The new version differs by 28 commits.

• 6901627 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #67 from backflip/feature/cleanup
• 9cfefa1 Remove gulp-util, bumped engine
• ef1af81 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #66 from backflip/feature/add-sass-template
• 52dfca9 Updated README
• 693f927 Added sass file to config and tests
• 46ddc99 adds sass template
• 79a0107 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #65 from backflip/feature/event-stream
• 00e8ff0 Locked event-stream to 3.3.4 due to vulnerability in newer versions
• d71d872 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #64 from backflip/feature/travis
• d0e9882 Updated code, dependencies and tests
• bdf485f Removed lock file
• 347fcd8 Updated Travis config
• 332e274 Added lock file to gitignore
• 98fbc78 Merge pull request [Snyk] Fix for 7 vulnerable dependencies #63 from FeliceC/master
• bebd036 removed deprecated gulp-utill
• 8a7bae3 Updated new test file for alias config
• 115fb8a Merge branch 'master' of https://github.com/backflip/gulp-iconfont-css
• 70bead4 Merge pull request [Snyk] Fix for 7 vulnerable dependencies #57 from bradrisse/master
• 0e040b4 2.2.0
• 8569024 Merge branch 'master' into master
• ba8f742 Rename aliasRoot to originalFileName
• 3330d4b Merge pull request [Snyk] Fix for 1 vulnerable dependencies #42 from mrtbld/feature/cachebusting
• 1f34898 Aliases option
• e150150 fixup! Add cache buster config option

See the full diff

Package name: multi-glob

The new version differs by 11 commits.

• 9c8227c 1.0.2
• 1ca1e69 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #12 from busterjs/bump-travis
• d0adf60 latest nodes
• 607ded0 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #11 from cjohansen/master
• ebdc8b2 Up appveyor node versions
• 1449412 Up version
• 99ab7f3 Drop async dependency
• 1a95582 Drop lodash dependency
• 852f31a Update travis config
• 9bee0ea Run tests with jest
• 003bac5 test on windows

See the full diff

Package name: npm

The new version differs by 250 commits.

• ab3c62a 6.2.0
• 0cfe801 update AUTHORS
• 890c132 doc: update changelog for [email protected]
• 7a08a9b empty
• 322d9c2 chore: Make standard happy
• 4231a0a meta: Add cli-table3 to bundledeps
• f0a372b docs: replace references to the old repo or issue tracker ([Snyk] Fix for 2 vulnerable dependencies #5)
• 4c32413 run-script: Do not use SET to fetch the env in git-bash or cygwin
• 7984206 version: Add new sign-git-commit config (#12697)
• 244b183 audit: add support for --parseable output (#20554)
• 7381783 docs: republish waiting period (#20920)
• 5724983 docs: remove back-ticks not being parsed as markdown (#21165)
• 90c759f [email protected]
• 8dc6d76 [email protected]
• 2ac48f8 [email protected]
• d9b2712 [email protected]
• 843bdd6 6.2.0-next.1
• 5440b5e doc: update changelog for [email protected]
• ecdcbd7 misc: remove postinstall script that broke stuff (#21129)
• ea9415f 6.2.0-next.0
• d7cf1b3 update AUTHORS
• feb4e2b doc: update changelog for [email protected]
• fe4240e [email protected]
• 177cbb4 cache: Add warning text about using temp cache for debugging (#21105)

See the full diff

Package name: request-promise

The new version differs by 28 commits.

• 4bc186d Version 4.2.6
• 4c7d51d chore: bumped request-promise-core due to security vulnerability of lodash
• f364ee4 docs: reference to request deprecation and alternative libs
• 873d156 Merge pull request 404 Not Found  Gottwik/Enduro#341 from shisama/patch-1
• 052331d docs: deprecate this package
• b4dafe4 docs: fixed link
• fd52247 Version 4.2.5
• a27ba86 chore: updated request-promise-core that updates lodash
• 4e3b7ed Version 4.2.4
• 94be6fe fix: tough-cookie version
• 03f7030 chore: updated publish-please config
• d831905 Version 4.2.3 (now really)
• 37e8773 fix: updated indirect lodash dependency to fix security vulnerability
• 229225e Version 4.2.3
• 4f27097 chore: fix ci build for node v8+
• c535eb6 Merge pull request An in-range update of socket.io is breaking the build 🚨 Gottwik/Enduro#299 from aomdoa/fixToughCookieDep
• 488947b Merge branch 'master' into fixToughCookieDep
• 131abd7 fix: breaking change in tough-cookie v3
• b454ddc chore: added node 8 and 10 to ci build
• 6d11ddc fix: typo
• 3a136ea Merge pull request Assets in _generated in culture folders Gottwik/Enduro#303 from lexjacobs/patch-1
• 5e32191 docs: mention of wrapped request errors
• 2ac4f3e Update rp.js
• 1457338 Workaround on the cookie processing test.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution