[Snyk-dev] Fix for 31 vulnerabilities

[gjvis]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-AXIOS-174505	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-EVENTSOURCE-2823375	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1085627	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1243891	No	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	No	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Command Injection SNYK-JS-NODENOTIFIER-1035794	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-VUEAPOLLO-474013	No	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-WEBPACKBUNDLEANALYZER-174190	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Information Exposure SNYK-JS-WEBPACKDEVSERVER-72405	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution npm:deep-extend:20180409	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:react-dom:20180802	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:vue:20180802	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: axios

The new version differs by 250 commits.

• e367be5 [Releasing] 0.21.3
• 83ae383 Correctly add response interceptors to interceptor chain (#4013)
• c0c8761 [Updating] changelog to include links to issues and contributors
• 619bb46 [Releasing] v0.21.2
• 82c9455 Create SECURITY.md (#3981)
• 5b45711 Security fix for ReDoS (#3980)
• 5bc9ea2 Update ECOSYSTEM.md (#3817)
• e72813a Fixing README.md (#3818)
• e10a027 Fix README typo under Request Config (#3825)
• e091491 Update README.md (#3936)
• b42fbad Removed un-needed bracket
• 520c8dc Updating CI status badge (#3953)
• 4fbeecb Adding CI on Github Actions. (#3938)
• e9965bf Fixing the sauce labs tests (#3813)
• dbc634c Remove charset in tests (#3807)
• 3958e9f Add explanation of cancel token (#3803)
• 69949a6 Adding custom return type support to interceptor (#3783)
• 49509f6 Create FUNDING.yml (#3796)
• 199c8aa Adding parseInt to config.timeout (#3781)
• 94fc4ea Adding isAxiosError typeguard documentation (#3767)
• 0ece97c Fixing quadratic runtime when setting a maxContentLength (#3738)
• a18a0ec Updating `lib/core/README.md` about Dispatching requests (#3772)
• 59fa614 [Updated] follow-redirects to the latest version (#3771)
• 7821ed2 Feat/json improvements (#3763)

See the full diff

Package name: offline-plugin

The new version differs by 53 commits.

• df08535 [skip ci] 5.0.4
• 363a89e [ci skip] Release 5.0.5
• 56553d4 [ci skip] Release 5.0.4
• ddec2aa Fix tests
• ec987f4 Fix appShell returning the shell file when navigating to sw file's location
• 2cf8af2 Update fixtures to new webpack 4's bundle output format
• 5b9f60a Fix 'only-if-cached' in fetch event error
• 765abb0 Merge pull request #384 from julienw/patch-1
• 9b8e5de Add a link to appShell doc from the doc for cacheMaps
• 1f99abe [skip ci] Readme improvment
• a9daba4 Readme improvment
• eb9c16b Merge pull request #381 from etchteam/master
• fd22075 fix: Update deep-extend
• 1454262 [ci skip] Release 5.0.3
• a2eee00 Make `ServiceWorker.minify` option auto-detect usage of optimization.minimize (webpack 4+)
• 0f73617 [ci skip] Release 5.0.2
• 7b29577 Use never version of loader injection into "after-resolve" NMF
• 65edf58 [ci skip] Release 5.0.1
• bf055a8 Fix plugin usage without options
• c8a6344 [skip ci] Comment demo from readme for now
• 9018bd7 [ci skip] Release 5.0.0
• 5fc00d8 Remove loaders information from build scripts and tests
• b8b961f Fix addAllNormalized wrong behavior with activate and remove undocumented loaders
• 75557ad Fix `isNotRedirectedResponse` function is used without an argument

See the full diff

Package name: prop-types

The new version differs by 15 commits.

• fa6fbb7 15.6.2
• 5115f5c Merge pull request Bump follow-redirects from 1.13.1 to 1.14.8 in /assets/js/form-devxpress-angular Rebolon/php-sf-flex-webpack-encore-vuejs#180 from jaller94/master
• 2ac742c Merge pull request [Snyk] Security upgrade devextreme from 18.2.9 to 19.1.10 Rebolon/php-sf-flex-webpack-encore-vuejs#171 from barrymichaeldoyle/master
• a7a5a64 Merge pull request Bump jszip from 3.2.2 to 3.10.1 Rebolon/php-sf-flex-webpack-encore-vuejs#194 from facebook/no-fbjs
• d6c9c5c Preserve "Invariant Violation" name
• 07d1b47 Remove fbjs dependency
• 3c99d57 Remove trailing spaces
• a36cda8 Move explanation of `isRequired` and show it in `PropTypes.shape`
• ba3da12 Show that shapes can have required properties
• 2bde8eb Add example for `PropTypes.exact`
• d65f80e Updated vars to consts and lets in PropTypesProductionStandalone-test.js
• c10c93f Updated vars to consts and lets in PropTypesDevelopmentStandalone-test.js
• 8e2b34e Updated vars to consts and lets in PropTypesDevelopmentReact15.js
• c5527c8 Updated vars with consts and lets in PropTypesProductionReact15-test.js
• 7cc8c81 Add 15.6.1 to CHANGELOG

See the full diff

Package name: quasar-cli

The new version differs by 250 commits.

• 02acddb chore: Bump version
• 44ab861 feat(deps) webpack-bundle-analyzer version bump (#233)
• 524e541 chore: Bump version
• a0350bc feat: Allow devserver's SSL certificate while on dev with HTTPS for cordova iOS
• a825ff0 feat: Enforce correct build mode for Cordova on iOS with latest XCode
• 57eb65e feat: Upgrade electron to v4, and electron-packager (if required) to v13
• 28a8ace feat: Allow cordova mode to run on HTTPS while on dev Bump jszip from 3.2.2 to 3.10.1 Rebolon/php-sf-flex-webpack-encore-vuejs#194
• d8c0e7f Revert "Quasar-cli ([Snyk] Security upgrade axios from 0.18.1 to 1.7.8 Rebolon/php-sf-flex-webpack-encore-vuejs#225)"
• 3dacee0 Quasar-cli ([Snyk] Security upgrade axios from 0.18.1 to 1.7.8 Rebolon/php-sf-flex-webpack-encore-vuejs#225)
• f6f71fc chore: Bump version
• 0d3b8b8 feat: Bump version; Install Electron v3 (instead of v2) when adding Electron mode
• 81b2e6c chore: Bump version
• 0f04895 chore: Updated deps
• 5854d46 fix: Allow Webpack to load nested package dependencies (Ujh Rebolon/php-sf-flex-webpack-encore-vuejs#198)
• be9e97c Update quasar-serve (Bump eventsource from 1.0.7 to 1.1.1 in /assets/js/form-devxpress-angular Rebolon/php-sf-flex-webpack-encore-vuejs#191)
• 3e7c49f chore: Bump version
• 37e0ee1 Merge branch 'dev' of github.com:quasarframework/quasar-cli into dev
• bedcb1f feat: Greatly improve assets hashing
• 421fecb add support for android-versionCode (Bump minimist from 1.2.5 to 1.2.6 in /assets/js/form-devxpress-angular Rebolon/php-sf-flex-webpack-encore-vuejs#189)
• a959e20 feat: Update to quasar-extras v2.0.8
• 5b811da feat: Update to quasar-extras v2.0.7
• 8053b81 fix: [CLI 0.17.19] quasar.conf > build > gzip: true breaks build Bump url-parse from 1.4.7 to 1.5.10 in /assets/js/form-devxpress-angular Rebolon/php-sf-flex-webpack-encore-vuejs#184
• 27f58bb chore: Bump version
• 7b7fe96 feat: stop PrettyError so that Ouch can access the stack trace

See the full diff

Package name: vue-apollo

The new version differs by 250 commits.

• 8a55533 docs(readme): docs link
• 428b5cb docs(readme): move link
• a35f50d docs(readme): contributing guide
• 5420630 chore: add test:ssr to test script
• 4d15268 Create CONTRIBUTING.md
• dc138f2 chore: Create CODE_OF_CONDUCT.md (#839)
• 87785af chore: Update issue templates
• b95388f fix: security issue
• 198b383 test(e2e): manual add smart query: loadingKey
• 14ea90a fix(ci): generate schema files
• 4f9bba4 test(ci): fix yarn cache id
• 73e970a test(ci): fix install
• 6afceec test(e2e): SSR
• af0b69d Merge branch 'dev' of github.com:Akryum/vue-apollo into dev
• c3b840c fix(ssr): memory leak, closes https://github.com/Memory leak with Smart Query nuxt-modules/apollo#231
• 94bbb52 chore(deps-dev): bump vue-cli-plugin-apollo in /tests/demo
• b7e214b chore(deps-dev): bump rollup from 1.24.0 to 1.25.1
• 7733edc test(e2e): rename test.js to chat.js
• 8da4777 test(e2e): errorPolicy support
• ae4713e fix(smart query): handling errorPolicy, closes #526
• ef9c7a0 docs(smart query): new `error` args
• 932c5b9 feat(errorHandler): added options arg
• aea6c93 feat(errorHandler): added vm, key, type arguments
• b7642cd fix(ts): DataDef not defined error?!?

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn