[Snyk] Fix for 23 vulnerabilities

[restinpeaceinout]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • script/package.json
  • script/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Input Validation SNYK-JS-XMLDOM-1534562	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Prototype Pollution SNYK-JS-XMLDOM-3042242	Yes	No Known Exploit
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-XMLDOM-3092935	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: electron-chromedriver

The new version differs by 40 commits.

• 3807adb Merge pull request [Snyk] Upgrade aws-sdk from 2.275.1 to 2.574.0 #62 from electron/9-x-y
• 5a726b8 v9.0.0
• 3d0e75f fix: install npm_config_platform=win32 ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.573.0 #61)
• ab6cd41 Merge pull request [Snyk] Upgrade request-promise-native from 1.0.5 to 1.0.8 #59 from erickzhao/chore/migrate-get
• b244950 chore: force node 10.12
• 1e4599b chore: upgrade extract-zip to v2.0.0
• 3c22216 refactor: migrate to @ electron/get
• d25a3ac Merge pull request [Snyk] Upgrade aws-sdk from 2.275.1 to 2.573.0 #57 from electron/dependabot/npm_and_yarn/acorn-6.4.1
• 2a0b450 Bump acorn from 6.2.1 to 6.4.1
• 0e494e4 Merge pull request [Snyk] Upgrade aws-sdk from 2.275.1 to 2.571.0 #55 from electron/8-x-y
• 400df8e v8.0.0
• c3f66d6 chore: update for 8.0.0-beta.7 ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.570.0 #54)
• 209fa2e chore: set @ wg-releases as CODEOWNERS ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.569.0 #53)
• ed80a77 Merge pull request [Snyk] Upgrade aws-sdk from 2.275.1 to 2.566.0 #50 from electron/7-0-x
• 5cba324 Update for v7.0.0
• 2ca0405 Merge pull request [Snyk] Upgrade aws-sdk from 2.275.1 to 2.564.0 #48 from electron/dependabot/npm_and_yarn/eslint-utils-1.4.2
• 0051436 chore: Update to 7.0.0-beta.5
• 4b48320 Bump eslint-utils from 1.4.0 to 1.4.2
• 2f4cca7 Merge pull request [Snyk] Upgrade aws-sdk from 2.275.1 to 2.563.0 #47 from electron/update-standard-mocha
• e3feaf5 chore: update standard and mocha
• 148292a Merge pull request [Snyk] Upgrade request-promise-native from 1.0.5 to 1.0.8 #46 from electron/update-stable-6
• bfb0ce6 chore: add support for Electron v6.0.0
• 8dc45bf Bump js-yaml from 3.12.0 to 3.13.1 ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.560.0 #43)
• 2a79a74 Bump handlebars from 4.0.12 to 4.1.2 ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.561.0 #44)

See the full diff

Package name: electron-mksnapshot

The new version differs by 29 commits.

• 9b1abfa fix: Allow downloading of custom versions of mksnapshots ([Snyk] Upgrade async from 2.0.1 to 2.6.3 #30)
• 4c31a01 chore: update to v9.0.0 ([Snyk] Upgrade npm from 6.2.0 to 6.12.0 #28)
• fcba03d chore: update mksnapshot to work with arm*-x64 zips ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.553.0 #27)
• baeb2a2 Fix download on ARM ([Snyk] Upgrade etch from 0.12.8 to 0.14.0 #26)
• dfc0cd1 Bump acorn from 7.1.0 to 7.1.1 ([Snyk] Upgrade marked from 0.3.19 to 0.7.0 #25)
• 6d9510e 8.0.0 ([Snyk] Upgrade etch from 0.9.0 to 0.14.0 #24)
• e77fd2c v7.0.0
• 3c4921f 6.0.0 ([Snyk] Upgrade @atom/watcher from 1.0.8 to 1.3.1 #21)
• cc99f15 Bump lodash from 4.17.11 to 4.17.14 ([Snyk] Upgrade text-buffer from 13.14.10 to 13.17.0 #20)
• 4d3798f Bump extend from 3.0.1 to 3.0.2 ([Snyk] Upgrade async from 0.2.6 to 0.9.2 #19)
• 546c646 build: update for 6.0.0-beta.2 ([Snyk] Upgrade tree-sitter from 0.13.16 to 0.15.8 #18)
• 66c95ca build: update for 6.0.0-beta.1 ([Snyk] Upgrade postcss from 5.2.4 to 5.2.18 #17)
• 199a6a7 build: update for 5.x.x ([Snyk] Upgrade temp from 0.8.3 to 0.9.0 #16)
• 21a3ed0 build: update for 4.2.x ([Snyk] Fix for 1 vulnerabilities #15)
• 6e589d5 build: update for 4.1.x ([Snyk] Fix for 1 vulnerabilities #14)
• 909e705 build: update mksnapshot for 4-0-x ([Snyk] Fix for 1 vulnerable dependencies #13)
• ad2f2c0 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #10 from electron/3-0-x
• c5354e0 Try longer timeout
• 05ff022 try this
• 3d8d590 fix dir
• a96f2a9 Try to track down travis failure
• 83361c5 Update for vulnerabilities
• 457df73 Update travis to node 10
• 2b3a240 Update appveyor to use node 10

See the full diff

Package name: electron-packager

The new version differs by 250 commits.

• 8d03dd7 14.0.0
• fe05b3e Merge pull request [Snyk] Upgrade aws-sdk from 2.275.1 to 2.1295.0 #1017 from electron-userland/v14-develop
• a77eb2d chore: add NEWS entries for v14
• f8a3cac Linux/ia32 warning moved from Packager to @ electron/get ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.1294.0 #1016)
• 67e3021 test: fix CLI test names, add --no-download.rejectUnauthorized test
• 5f09eb5 refactor: use object shorthand in targets exports
• cf7c725 feat: convert from electron-download to @ electron/get ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.1280.0 #1002)
• cc470ef refactor: always test against post-1.0 versions of Electron ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.1289.0 #1012)
• 51cce5b chore: install Wine via homebrew on macOS
• 6075368 chore: use yarn on Travis/macOS
• f56c84e chore: upgrade the ava ecosystem to ^2
• 2f6e385 chore: refactor codesign testing ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.1287.0 #1010)
• 8356c07 chore: avoid running npm install for fixtures ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.1286.0 #1009)
• 99e28bb feat: ignore system junk files by default ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.1282.0 #1005)
• 058f8d4 chore: upgrade electron-notarize to ^0.1.1
• 14625fb chore: upgrade rcedit to ^2.0.0 ([Snyk] Upgrade npm from 6.2.0 to 6.14.18 #1003)
• c3a499a Replace extract-zip with cross-zip ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.1262.0 #984)
• 481937a Wrap await example in a function because top-level await doesn't exist yet
• ae73870 chore: upgrade eslint-plugin-node to ^9.0.1
• 3be181a chore: split up NPM scripts
• 70b96d0 Upgrade asar to ^2.0.1
• 34a305a Update asar to ^2.0.0
• dd0f0de Drop mz for util.promisify ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.1261.0 #983)
• b0b253b Update tempy requirement from ^0.2.1 to ^0.3.0 ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.1254.0 #980)

See the full diff

Package name: electron-winstaller

The new version differs by 15 commits.

• dad268d 3.0.0
• 694f929 feat: copy .exe.config file ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.672.0 #229)
• da145bb feat: Squirrel 1.9.1 ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.714.2 #288)
• 50bb564 feat: Allowed signWithParams with certificateFile/Password ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.649.0 #190)
• b07643b feat: Add Squirrel's --framework-version Option ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.705.0 #274) ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.706.0 #275)
• a113097 chore: upgrade eslint, temp, & debug
• 5403c71 chore: upgrade to Node 6 ([Snyk] Upgrade request from 2.87.0 to 2.88.2 #293)
• 6210bab Upgrade asar to ^1.0.0
• 5954c8e 2.7.0
• b639c74 feat: Version bump vendored Squirrel.Windows to 1.9.0 ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.700.0 #267)
• 5c28a08 Issue [Snyk] Upgrade aws-sdk from 2.275.1 to 2.694.0 #253: Add signature file to template ([Snyk] Upgrade tree-sitter from 0.13.16 to 0.16.1 #257)
• 7ebee45 Merge pull request [Snyk] Fix for 1 vulnerabilities #202 from bursauxa/patch-1
• 736159e Update README.md
• 7ba135d Update fs-extra to 2.1.2 ([Snyk] Upgrade aws-sdk from 2.275.1 to 2.676.0 #234)
• 0fa685a Documented "skipUpdateIcon" option.

See the full diff

Package name: klaw-sync

The new version differs by 14 commits.

• 2059501 update changelog, bump to v2.0.0
• 84532ab 2.0.0
• 3fc387f Merge pull request [Snyk] Fix for 1 vulnerable dependencies #2 from manidlou/add-filter-opt
• 4323677 update readme
• e76afdf change option name, update readme and changelog
• c4c78c5 remove unnecessary deps
• 2389ab0 update readme and changelog
• 56d1828 update changelog
• dd27335 refactor filter additional option, update readme
• e56432d add more tests for filter, update readme
• 739a6e3 remove ignore option, remove micromatch, refactor filter option, update bm.js
• a8c98ab fix bug: ignore with glob pattern (closes [Snyk] Fix for 3 vulnerable dependencies #1), add filter option
• ab77725 benchmark/bm.js: set async run to false
• 4d498ea benchmark/bm.js: set async run to false

See the full diff

Package name: npm

The new version differs by 250 commits.

• 3b4ba65 7.0.0
• bbfc75d chore: fix weird .gitignore thing that happened somehow
• 8a2d375 docs: changelog for v7.0.0
• 365f2e7 read-package-json@3.0.0
• fafb348 npm-package-arg@8.1.0
• 9306c68 libnpmfund@1.0.1
• 569cd64 libnpmfund@1.0.0
• ac9fde7 Integration code for @ npmcli/arborist@1.0.0
• 704b9cd @ npmcli/arborist@1.0.0
• 3955bb9 hosted-git-info@3.0.6
• da240ef fix: patch config.js to remove duplicate values
• 9ae45a8 init-package-json@2.0.0
• 41ab36d eslint@7.11.0
• c474a15 npm-registry-fetch@8.1.5
• efc6786 fix: make sure publishConfig is passed through
• 1e4e6e9 docs: v7 using npm config refresh
• 5c1c2da fix: init config aliases
• 5bc7eb2 docs: v7 npm-install refresh
• 1a35d87 7.0.0-rc.4
• 7a5a557 docs: changelog for v7.0.0-rc.4
• f0cf859 chore: dedupe deps
• 0273745 make-fetch-happen@8.0.10
• 7bd47ca @ npmcli/arborist@0.0.33
• 9320b8e only escape arguments, not the command name

See the full diff

Package name: standard

The new version differs by 250 commits.

• a599426 authors
• 4b7fac5 11.0.0
• 76bf851 standard-packages@3.4.0
• 22673fc test: add --fix flag to attempt fixing packages before failing
• 50c466c remove hardcoded npm run test scripts
• cc79290 .npmignore
• 7b5e482 .npmignore
• 538f087 standard-engine@8.0
• 0147989 eslint-config-standard-jsx@5.0.0
• 7ff022f eslint-config-standard@11.0.0
• c9e8503 changelog
• a5333eb changelog
• 98f513c test style
• 8376af6 don't peg CPU when running tests
• 47489da update changelog
• 4ff2152 eslint-plugin-node@6
• 78be324 eslint@4.18
• c2bd85c Merge pull request [Snyk] Upgrade aws-sdk from 2.275.1 to 2.1333.0 #1054 from standard/greenkeeper/initial
• 5edd7c3 chore: adapt code to updated dependencies
• aef406a copy
• ff379a0 add stdlib sponsor logo
• c1770a9 readme tweaks
• 4acfb74 Merge pull request [Snyk] Upgrade aws-sdk from 2.275.1 to 2.1337.0 #1057 from sonicdoe/patch-1
• e1c58fb Fix typo

See the full diff

Package name: stylelint

The new version differs by 250 commits.

• 04af9e4 13.0.0
• 704f6a2 Prepare 13.0.0
• 50ba8a9 Reorder changelog
• 1666bba Update devDependencies (UTF-8 problems: characters mysteriously incorrectly encoded atom/atom#4542)
• 062d298 Reindent nodejs.yml (Uncaught Error: EACCES, open '/home/alex/.atom/compile-cache/cson/5af7724b023a6274b520f79f04fb798a67319ca7.json' atom/atom#4541)
• a24e44a Fix atypical rule README structure (Uncaught Error: spawn pep8 ENOENT atom/atom#4537)
• 616ad71 Bump husky from 4.0.3 to 4.0.6 (Uncaught Error: Minified exception occurred atom/atom#4536)
• 5e58ee7 Bump globby from 10.0.2 to 11.0.0 (FuzzyFinder is double displaying atom/atom#4528)
• eaee6a4 Refactor CLI options definition (Commandline behaviour changed moving from Chocolatey to Squirrl atom/atom#4530)
• 6a2ffbd Fix plugin path
• 644b713 Fix Windows path problem
• 1005cbd Add info about invalid syntax in FAQ (Fixed activateNow when no activation promise atom/atom#4535)
• 18b1f99 Fix help text indentation (Better BufferedProcess error handling atom/atom#4531)
• d3c4a9f Update CHANGELOG.md
• 32f67e7 Update CHANGELOG.md
• 04ec577 Bump globby from 10.0.1 to 11.0.0
• d9dbce2 Process multiple spaces in media-feature-parentheses-space-inside (Uncaught TypeError: Bad argument atom/atom#4513)
• 1dc203e Regenerate package-lock.json (Windows releases late again. atom/atom#4517)
• 36bf292 Bump husky from 3.1.0 to 4.0.3 (getting red notifications when saving keymap.cson with parse error atom/atom#4527)
• f5529d5 Bump @ types/micromatch from 3.1.1 to 4.0.0 (Update Chocolatey package to call the new Squirrel based installer atom/atom#4526)
• a254fd2 Bump got from 10.2.0 to 10.2.1 (Uncaught Error: spawn grunt ENOENT atom/atom#4525)
• f2e9f02 Bump remark-validate-links from 9.0.1 to 9.1.0 ("Reveal in Tree View" does not work when there is no folder selected. atom/atom#4524)
• 74d5233 Remove unneeded `@ types/meow` package (Uncaught TypeError: Cannot read property 'destroyItem' of undefined atom/atom#4523)
• cef0b95 Update CHANGELOG.md

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn