[Snyk] Fix for 30 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-73638	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	Arbitrary File Overwrite SNYK-JS-TAR-174125	No	No Known Exploit
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No	Mature
	Regular Expression Denial of Service (ReDoS) npm:clean-css:20180306	Yes	Proof of Concept
	Uninitialized Memory Exposure npm:concat-stream:20160901	Yes	Mature
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	Yes	Proof of Concept
	Arbitrary Code Injection npm:growl:20160721	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No	No Known Exploit
	Prototype Pollution npm:hoek:20180212	Yes	No Known Exploit
	Timing Attack npm:http-signature:20150122	No	No Known Exploit
	Prototype Pollution npm:lodash:20180130	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	Uninitialized Memory Exposure npm:npmconf:20180512	No	Mature
	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	No	No Known Exploit
	Improper minification of non-boolean comparisons npm:uglify-js:20150824	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No	No Known Exploit

Commit messages

Package name: grunt-contrib-less

The new version differs by 9 commits.

• 815cef9 v2.0.0 with dep updates (Suggestions for usability improvements with inline editors adobe/brackets#342)
• 5b04ca0 Update less to 3.0.0 (Inline editor includes comment after rule adobe/brackets#340)
• d8231dc Add node 8, remove node 0.10 (We need different Windows and Mac shortcuts for CodeMirror adobe/brackets#337)
• 0353e53 accept a function for sourceMapFilename (FileIndexManager adobe/brackets#306)
• c81d284 accept a function for sourceMapURL (Reloading external file should retain selection/scroll position adobe/brackets#307)
• e0c3722 Update AppVeyor project.
• 459ca0b Update less-options.md
• c282d0d v1.4.1.
• a507646 Rethrow the compilation error after printing the message. (JSLint results don't update after syncing external changes adobe/brackets#315)

See the full diff

Package name: grunt-contrib-watch

The new version differs by 20 commits.

• 3b7ddf4 v1.1.0
• 72b1214 Updating dependencies, async, lodash and tiny-lr
• 5adb27c Merge pull request Clicking in the blank area below the very last line of code won't set IP at the end of code in inline editor. adobe/brackets#543 from digitalbazaar/master
• 6ec71e9 v1.0.1
• 7d20933 Update copyright year
• e3d19df Update ci configs
• d117574 Updating ci configs
• 99410a7 README.md: Fixed typos (Using Live Preview in conjunction with the Inline Editor causes uncaught exceptions adobe/brackets#536)
• f07311b Update tiny-lr dependency to 1.x
• 7f8cf80 Add local grunt-cli
• ab6771e Drop back to [email protected] until the bad test helper can be sorted
• 2e2daa5 Update to [email protected]
• 3d7fa3a Avoid timing issue in tests because of the bad test helper
• 0130a16 Merge pull request Middle-click scrolling not correctly disabled adobe/brackets#500 from gruntjs/deps
• 5289845 Update devDependencies.
• fd3ed7a Lint tweaks.
• e42386a Merge pull request Implement rule list widget adobe/brackets#501 from cepko33/master
• 8c93077 Updated lodash and changed outdated 'contains' to 'includes'
• 986b8a9 Update CHANGELOG.
• 5e155ec Add AppVeyor for Windows testing.

See the full diff

Package name: grunt-eslint

The new version differs by 3 commits.

• fdbd6b0 20.0.0
• 79d5e1f Update to ESLint 4 (CVE-2016-10735 (Medium) detected in bootstrap-2.0.3.min.js #143)
• eab8924 Add Node.js 8 to Travis CI test matrix (CVE-2013-7371 (Medium) detected in connect-1.8.7.tgz - autoclosed #144)

See the full diff

Package name: phantomjs

The new version differs by 70 commits.

• 017ec0c backport 2.1+ installer fixes back to phantomjs 1.9.8 installer
• 0719f5d Merge pull request Account for %20 encoding for paths gotten from windows.location.pathname adobe/brackets#512 from Medium/nick-global
• 2b843b5 bump version #
• f57d473 Merge pull request Unescape URI when converting to native path. adobe/brackets#511 from Medium/nick-global
• 2da9622 Use github releases to serve download files
• 18bed40 Merge pull request Middle-click in inline editor's chrome scrolls view & breaks editor adobe/brackets#510 from Medium/nick-global
• ee20e6d try to link to the global phantomjs npm install if we can
• 00c6258 Merge pull request Quick open should reveal file in file tree adobe/brackets#498 from Medium/nick-release
• ceeff49 bump version #
• 628ed57 Merge pull request Adding support for Ctrl+D / Cmd+D Eclipse style for deleting lines adobe/brackets#497 from bleggett/remove-adm-zip
• b3c688d Rename var
• b29be1d Remove local edit.
• 77460b6 Replace adm_zip install dependency with extract-zip due to licensing issues with the former.
• 9668e8c Merge pull request Runtime error when full editor contents are fully deleted adobe/brackets#489 from Medium/nick-release
• a35c29a bump version #
• a9099d6 Merge pull request Prepopulate Find / Find in Files / Quick Open with the current selection adobe/brackets#488 from jgibson/master
• 8475d0a Merge pull request Temporary fix for global key bindings and dialogs adobe/brackets#479 from pra85/patch-1
• e3de1dc Fixes Brackets crashes when window.location is set in developer tools adobe/brackets#477 by passing CA options directly.
• 3132404 Merge pull request Merge live-development branch into master adobe/brackets#485 from Medium/nick-logs
• 2ade873 tweak some logs
• 8404465 Merge pull request Bidirectional syncing for inline editors adobe/brackets#484 from SamMorrowDrums/master
• d57f903 Replaces octal literal with parseInt. Fixes CSSUtils.extractAllSelectors computes an incorrect "line" value when comments are above the selector adobe/brackets#483
• d7f1d21 Fix typo in Readme
• 2b64427 Merge pull request Allow for platform-specific font sizes adobe/brackets#476 from connesc/master

See the full diff

Package name: tar

The new version differs by 5 commits.

• 523c5c7 2.2.2
• 7ecef07 Bump fstream to fix hardlink overwriting vulnerability
• 9fc84b9 Use {} for hardlink tracking instead of []
• 15e59f1 Only track previously seen hardlinks
• 4f85851 Ignore potentially unsafe files

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 213226e 4.0.0
• fde0183 Merge pull request Update strings.js adobe/brackets#6081 from webpack/formating/prettier
• b6396e7 update stats
• f32bd41 fix linting
• 5238159 run prettier on existing code
• 518d1e0 replace js-beautify with prettier
• 4c25bfb 4.0.0-beta.3
• dd93716 Merge pull request Question: Where is build target defined? adobe/brackets#6296 from shellscape/fix/hmr-before-node-stuff
• 7a07901 Merge pull request Idea and little bug in Brackets for Windows adobe/brackets#6563 from webpack/performance/assign-depth
• c7eb895 Merge pull request Get an error when using shortcut to reload Brackets continuously.  adobe/brackets#6452 from webpack/update_acorn
• 9179980 Merge pull request [File Watchers] Can not externally rename a directory with subfolders on Windows adobe/brackets#6551 from nveenjain/fix/templatemd
• e52f323 optimize performance of assignDepth
• 6bf5df5 Fixed template.md
• 90ab23a Merge branch 'master' into fix/hmr-before-node-stuff
• b0949cb add integration test for spread operator
• 39438c7 unittest now also walks the ast
• 15ab027 Merge pull request file tree does not notice external renames adobe/brackets#6536 from jevan0307/sideEffects-selectors
• 1611ce1 Merge pull request New file should fallback to the project root if the current file is outside the project adobe/brackets#6561 from joshunger/patch-1
• 6e175bc Merge pull request Create new items in the project root if currently opened document is not inside the project. adobe/brackets#6549 from webpack/md4_hash
• 0637531 Add a hyperlink to create a new issue
• 0e1f9c6 Merge pull request [File Watchers] Folder not unwatched when externally renamed adobe/brackets#6554 from webpack/deps/end-of-beta
• 72477f4 upgrade versions to stable versions
• ed30285 Merge pull request Fix duplicate tree nodes when creating a file externally in a folder that was not loaded adobe/brackets#6546 from webpack/bot/review-permission
• 40ee8c7 Use MD4 for hashing

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	Prototype Pollution npm:hoek:20180212	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
	Remote Memory Exposure npm:request:20160119	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

[pull-assistant]

Best reviewed: commit by commit

---

Optimal code review plan

     fix: package.json & .snyk to reduce vulnerabilities

Powered by Pull Assistant. Last update 41af7a1 ... 41af7a1. Read the comment docs.