[Snyk] Fix for 48 vulnerabilities

[snyk-io]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • workspaces/arborist/test/fixtures/tap-with-yarn-lock/node_modules/debug/package.json
  • workspaces/arborist/test/fixtures/tap-with-yarn-lock/node_modules/debug/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	165/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.0037, Social Trends: No, Days since published: 1559, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 1.68, Score Version: V5	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00396, Social Trends: No, Days since published: 1136, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	169/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 162, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.81, Score Version: V5	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	Yes	Proof of Concept
	159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00242, Social Trends: No, Days since published: 1383, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	114/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00096, Social Trends: No, Days since published: 701, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.89, Score Version: V5	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	Yes	No Known Exploit
	97/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Changed, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00083, Social Trends: No, Days since published: 900, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 6.65, Likelihood: 1.45, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	212/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: None, Scope: Changed, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Adjacent, EPSS: 0.01055, Social Trends: No, Days since published: 153, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Critical, Package Popularity Score: 99, Impact: 9.6, Likelihood: 2.2, Score Version: V5	Authentication Bypass SNYK-JS-HAWK-6969142	Yes	Proof of Concept
	141/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.01055, Social Trends: No, Days since published: 327, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.35, Score Version: V5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	102/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2039, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.69, Score Version: V5	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	166/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2025, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 1.69, Score Version: V5	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	123/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00105, Social Trends: No, Days since published: 989, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 98, Impact: 4.19, Likelihood: 2.93, Score Version: V5	Cross-site Scripting (XSS) SNYK-JS-KARMA-2395349	Yes	Proof of Concept
	81/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00093, Social Trends: No, Days since published: 972, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 98, Impact: 4.19, Likelihood: 1.93, Score Version: V5	Open Redirect SNYK-JS-KARMA-2396325	Yes	No Known Exploit
	63/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00231, Social Trends: No, Days since published: 1345, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	239/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00858, Social Trends: No, Days since published: 1345, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 2.44, Score Version: V5	Code Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	152/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.02082, Social Trends: No, Days since published: 1939, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.69, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	150/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1523, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	170/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 190, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.83, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-6139239	Yes	Proof of Concept
	149/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00128, Social Trends: No, Days since published: 2089, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.64, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	133/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: High, Attack Vector: Network, EPSS: 0.004, Social Trends: No, Days since published: 2027, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.21, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	75/1000 Why? Confidentiality impact: High, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.00047, Social Trends: No, Days since published: 1006, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.24, Score Version: V5	Information Exposure SNYK-JS-LOG4JS-2348757	Yes	No Known Exploit
	124/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 162, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.06, Score Version: V5	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	Yes	No Known Exploit
	59/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.03488, Social Trends: No, Days since published: 946, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.51, Score Version: V5	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	137/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00105, Social Trends: No, Days since published: 1686, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.42, Score Version: V5	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	154/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 867, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.56, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	Yes	No Known Exploit
	154/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1668, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.56, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0016, Social Trends: No, Days since published: 490, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.64, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	173/1000 Why? Confidentiality impact: High, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.00048, Social Trends: No, Days since published: 1014, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 8.63, Likelihood: 1.99, Score Version: V5	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	63/1000 Why? Confidentiality impact: Low, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00162, Social Trends: No, Days since published: 1384, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.64, Score Version: V5	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00242, Social Trends: No, Days since published: 1383, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	186/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0021, Social Trends: No, Days since published: 723, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Critical, Package Popularity Score: 99, Impact: 9.79, Likelihood: 1.9, Score Version: V5	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	115/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 982, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.92, Score Version: V5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	115/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1983, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 98, Impact: 5.99, Likelihood: 1.92, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-USERAGENT-174737	Yes	No Known Exploit
	63/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00222, Social Trends: No, Days since published: 1245, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	245/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.03027, Social Trends: No, Days since published: 1327, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 2.49, Score Version: V5	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	Yes	Proof of Concept
	149/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00208, Social Trends: No, Days since published: 1275, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.65, Score Version: V5	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	Yes	Proof of Concept
	58/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00117, Social Trends: No, Days since published: 2437, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.42, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	58/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00296, Social Trends: No, Days since published: 2583, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.43, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	182/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2422, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.08, Likelihood: 2, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:diff:20180305	Yes	Proof of Concept
	77/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2405, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 3.26, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	Yes	Proof of Concept
	187/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00526, Social Trends: No, Days since published: 2731, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Critical, Package Popularity Score: 99, Impact: 9.79, Likelihood: 1.9, Score Version: V5	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
	141/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01021, Social Trends: No, Days since published: 2442, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.5, Score Version: V5	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	140/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00122, Social Trends: No, Days since published: 2442, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.48, Score Version: V5	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	40/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00171, Social Trends: No, Days since published: 2717, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 100, Impact: 2.35, Likelihood: 1.67, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	114/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00115, Social Trends: No, Days since published: 2588, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 98, Impact: 5.99, Likelihood: 1.89, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	Yes	No Known Exploit
	214/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.00804, Social Trends: No, Days since published: 3044, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 2.18, Score Version: V5	Command Injection npm:shell-quote:20160621	Yes	Proof of Concept
	118/1000 Why? Confidentiality impact: High, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Local, EPSS: 0.01055, Social Trends: No, Days since published: 2666, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.96, Score Version: V5	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept
	220/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Functional, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2539, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 3.67, Score Version: V5	Denial of Service (DoS) npm:ws:20171108	Yes	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browserify

The new version differs by 174 commits.

• 1635157 13.2.0
• d2392a4 Merge branch 'master' of https://github.com/laurynasl-wix/node-browserify
• bf061d8 Allow configuring transformKey option for module-deps
• 9e3b11e Merge branch 'master' of https://github.com/Abhinay077/node-browserify
• c3a4424 13.1.1
• 10b93d8 use cached-path-relative fixes from https://github.com/use memoized path.relative browserify/browserify#1544
• 71240c2 Update package.json
• 5c87f47 Update package.json
• 8f5ebbf 13.1.0
• 7fbaee2 Add option to turn off deduping
• 071642a Update changelog, credit contributor
• 1491be4 13.0.1
• 50b4e8d Merge pull request docs: fix build error from libvips + sharp npm/cli#1555 from jmm/use-native-isarray
• 14e92f9 Eliminate isarray dep
• 0106bd3 Use native Array.isArray
• 8f7adc9 Merge pull request [BUG] Under 6.14.5, having a package.json provokes a 404 when a local dependency's dev dependency is a local scoped package npm/cli#1480 from MellowMelon/doc-ctor-require
• f556693 Wrap an offensively long line
• 58e8c5c Document some missing cli and constructor options
• b2374ce fix typo
• 5b82a2f 13.0.0
• 45d46e6 add 13.0.0 to changelog
• bc32336 Merge pull request [BUG] npm install error npm/cli#1476 from substack/bufferv4
• 656ff63 buffer@4
• af2c0b6 Merge pull request [BUG] <Failed to build standalone app err: Error: yarn exited with non-zero code: 1> npm/cli#1224 from LinusU/patch-1

See the full diff

Package name: coveralls

The new version differs by 76 commits.

• 2ea7be3 bump version
• 5e976c5 Only coverage report on test success, fixes [Snyk] Fix for 8 vulnerabilities #230
• 3d83b4f Set service_name and/or repo_token from .coveralls.yml regardless of if $COVERALLS_REPO_TOKEN is set ([Snyk] Fix for 1 vulnerabilities #272)
• 710c504 Add Codefresh support
• 8c4ba99 CI: switch to `actions/checkout@v2`
• eb1a3c9 278 Upgrades minimist dependency to 1.2.5
• 2e2b108 bump version
• 50913ed Remove the now unused istanbul and mocha-lcov-reporter devDependencies
• 1bceeff Revert [Snyk] Security upgrade tap from 16.3.10 to 18.0.0 #243.
• 4aa11a2 Remove snyk.
• 33eccc3 Revert "CI: use `npm ci` on Node.js >=8."
• 236529b Update logger.js
• 3a90b07 fix equality operator in logger.js
• bbe2de5 Update package.json
• 07ef879 Fix logger regression.
• f58f8b9 README.md: Add GitHub Actions CI info.
• 0488f10 Tweak README.md
• be79dab CI: use `npm ci` on Node.js >=8.
• ef51945 CI: Add Windows testing and lint
• c202346 Fix Windows tests again.
• 3d82534 use Coveralls GitHub action
• b1f7950 version bump
• 7c6178f Merge branch 'XhmikosR-appveyor-tests'
• ba49b6d Merge branch 'appveyor-tests' of https://github.com/XhmikosR/node-coveralls into XhmikosR-appveyor-tests

See the full diff

Package name: eslint

The new version differs by 250 commits.

• e0cbc50 9.0.0
• 75cb5f4 Build: changelog update for 9.0.0
• 19f9a89 chore: Update dependencies for v9.0.0 (#18275)
• 7c957f2 chore: package.json update for @ eslint/js release
• d73a33c chore: ignore `/docs/v8.x` in link checker (#18274)
• d54a412 feat: Add --inspect-config CLI flag (#18270)
• e151050 docs: update get-started to the new `@ eslint/create-config` (#18217)
• 610c148 fix: Support `using` declarations in no-lone-blocks (#18269)
• 44a81c6 chore: upgrade knip (#18272)
• 94178ad docs: mention about `name` field in flat config (#18252)
• 1765c24 docs: add Troubleshooting page (#18181)
• e80b60c chore: remove code for testing version selectors (#18266)
• 96607d0 docs: version selectors synchronization (#18260)
• e508800 fix: rule tester ignore irrelevant test case properties (#18235)
• a129acb fix: flat config name on ignores object (#18258)
• 97ce45b feat: Add `reportUsedIgnorePattern` option to `no-unused-vars` rule (#17662)
• 651ec91 docs: remove `/* eslint-env */` comments from rule examples (#18249)
• 950c4f1 docs: Update README
• 3e9fcea feat: Show config names in error messages (#18256)
• b7cf3bd fix!: correct `camelcase` rule schema for `allow` option (#18232)
• 12f5746 docs: add info about dot files and dir in flat config (#18239)
• b93f408 docs: update shared settings example (#18251)
• 26384d3 docs: fix `ecmaVersion` in one example, add checks (#18241)
• 7747097 docs: Update PR review process (#18233)

See the full diff

Package name: karma

The new version differs by 250 commits.

• d8cf806 chore(release): 6.4.3 [skip ci]
• d7f2d69 fix: add build commits for patch release
• 85a2eeb build(deps-dev): bump decode-uri-component from 0.2.0 to 0.2.2
• 0bffce2 build(deps): updated socket.io version to fix security issues with socket.io-parser and engine.io
• 86667ab build(deps): bump follow-redirects from 1.11.0 to 1.15.4
• 450fdfd docs: Add deprecation notice to Karma README
• 9de3c00 chore(release): 6.4.2 [skip ci]
• c6a4271 fix: few typos
• 50f9635 docs: update codeclimate badge in readme.md
• 0013121 chore(release): 6.4.1 [skip ci]
• 63d86be fix: pass integrity value
• 84f7cc3 chore(release): 6.4.0 [skip ci]
• f2d0663 docs: add integrity parameter
• dc51a2e feat: support SRI verification of link tags
• 6a54b1c feat: support SRI verification of script tags
• 5e71cf5 chore(release): 6.3.20 [skip ci]
• e17698f fix: prefer IPv4 addresses when resolving domains
• 60f4f79 build: add Node 16 and 18 to the CI matrix
• 6ff5aaf chore(release): 6.3.19 [skip ci]
• 099b85e fix(client): error out when opening a new tab fails
• b659015 ci: lint and commitlint in its own workflow
• 31701a2 chore(release): 6.3.18 [skip ci]
• 52a30bb fix(deps): upgrade socket.io to v4.4.1
• 7aeb3f8 docs(configuration-file): document async function

See the full diff

Package name: karma-mocha

The new version differs by 18 commits.

• 5828416 chore(release): 2.0.0 [skip ci]
• 4e35a55 chore(ci): semantic-release on success ([Snyk] Security upgrade tap from 16.3.10 to 18.0.0 #221)
• 00b24b6 chore(deps-dev): bump eslint from 2.13.1 to 4.18.2 ([Snyk] Fix for 9 vulnerabilities #220)
• f7ec4e7 Merge pull request [Snyk] Security upgrade standard from 14.3.4 to 16.0.0 #218 from karma-runner/semanitic-release
• 5a5b6d5 feat(ci): enable semanitic-release
• 36404cf Merge pull request [Snyk] Security upgrade tap from 14.11.0 to 18.0.0 #217 from franktopel/minimist-update
• bab0416 updated minimum version of minimist dependency to ^1.2.3 instead of 1.2.0
• 3f9e4b7 Revert "updated minimum version of minimist dependency to ^1.2.3 instead of 1.2.0"
• a9bfdf9 updated minimum version of minimist dependency to ^1.2.3 instead of 1.2.0
• 3dd7a56 Merge pull request [Snyk] Security upgrade @isaacs/minimist-git-dep from 1.0.0 to 1.0.2 #215 from mbaumgartl/update-node-versions
• 844939c Merge pull request [Snyk] Security upgrade standard from 10.0.3 to 17.0.0 #213 from mbaumgartl/fix-travis-build
• fd64f5b Update Node.js versions
• 6eb28de Fix Travis builds
• c8feade Merge pull request [Snyk] Fix for 20 vulnerabilities #210 from elpddev/chore/align-node-support-same-as-karma
• ea076c0 test(mock-fs): update mock-fs version
• 2fb6c93 ci(node versions): change running node verison the same as karma package
• 6c63662 Merge pull request [Snyk] Fix for 8 vulnerabilities #122 from maksimr/karma-mocha-109
• e847121 feat: Expose 'pending' status

See the full diff

Package name: mocha

The new version differs by 250 commits.

• 5f96d51 build(v10.1.0): release
• ed74f16 build(v10.1.0): update CHANGELOG
• 51d4746 chore(devDeps): update 'ESLint' to v8 (Alias --tag to --channel npm/cli#4926)
• 4e06a6f fix(browser): increase contrast for replay buttons ([BUG] Inconsistent values for npm_package_* env variable when executing command in workspace since npm v8.8.0 npm/cli#4912)
• 41567df Support prefers-color-scheme: dark ([BUG] GitHub references to dependencies slow/hang npm/cli#4896)
• 61b4b92 fix the regular expression for function `clean` in `utils.js` (chore: add fallback audit to tests npm/cli#4770)
• 77c18d2 chore: use standard 'Promise.allSettled' instead of polyfill ([BUG] Depends on deprecated packages path-is-absolute and read-package-tree npm/cli#4905)
• 84b2f84 chore(ci): upgrade GH actions to latest versions (Renovate npm/cli#4899)
• 023f548 build(v10.0.0): release
• 62b1566 build(v10.0.0): update CHANGELOG
• fbe7a24 chore: update dependencies (chore: update action secrets + bot info npm/cli#4878)
• 2b98521 docs: replace 'git.io' short links ([BUG] Inconsistent --silent for npm install npm/cli#4877) [ci skip]
• 007fa65 chore(ci): add Node v18 to test matrix ([BUG] Failed to install any package with ERROR Code"npm ERR! Cannot read property 'insert' of undefined" npm/cli#4876)
• f6695f0 chore(esm): remove code for Node v12 (feat: add flag --omit-lockfile-registry-resolved npm/cli#4874)
• 59f6192 chore(ci): conditionally skip 'push' event (deps: make-fetch-happen@10.1.3 npm/cli#4872)
• b863359 docs: fix 'fgrep' url ([BUG] npx@8 regression: command injection / impossible to pass a bactick as argument npm/cli#4873)
• baaa41a chore(ci): ignore changes to docs files ([BUG] npx command not install latest package npm/cli#4871)
• ac81cc5 refactor!: drop support of 'growl' notification ([DOCS] Explain behavior of "npm install" w/r/t package versions in package-lock.json. npm/cli#4866)
• 3946453 chore(deps)!: upgrade 'minimatch' (package-json.md npm/cli#4865)
• 592905b refactor!: rename 'bin/mocha' to 'bin/mocha.js' ([BUG] Critical issue with npm link --install-links --save ../package/ deleting the package directory! npm/cli#4863)
• b7b849b refactor!: remove deprecated Runner signature ([BUG] the output of the publish and postpublished are mixed up npm/cli#4861)
• 0608fa3 chore(site): fix supporters' download ([BUG] npm can install an invalid tree with transitive optional peer deps npm/cli#4859)
• 785aeb1 chore(test): drop AMD/'requirejs' (fix: consolidate bugs, docs, repo command logic npm/cli#4857)
• ed640c4 chore(devDeps): upgrade 'coffee-script' (deps: npm-packlist@5.0.3 npm/cli#4856)

See the full diff

Package name: rimraf

The new version differs by 102 commits.

• a1268c9 4.3.1
• cacc067 changelog 4.3.1
• cd6fbc6 Only call directory removal method on actual dirs
• 4937e64 format markdown
• ba35d77 always return Dirents from readdir
• f923bb0 4.3.0
• ed7b2a6 test: chmod ordering is nondeterministic
• 4cb1d47 changelog about bin interactivity
• 95e13f2 try to make the interactive test less flaky
• 38e731f bin: add interactive mode
• ca28abb let the filter option be async for async methods
• 3b57687 add --verbose, --no-verbose to bin
• ed3288e add filter option
• e828fe2 Update v4 glob support in README
• 80aef8b 4.2.0
• 0d19a99 changelog 420
• f768f26 treat paths as glob patterns when glob option set
• 5760716 make rimraf cancelable with AbortSignals

[sourcery-ai]

🧙 Sourcery has finished reviewing your pull request!

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot (hey, snyk-io[bot]!). We assume it knows what it's doing!
• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!