[Snyk] Fix for 44 vulnerabilities

[aliscco]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • test/fixtures/qs-package/node_modules/request/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	No	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	661/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.8	Arbitrary Code Injection SNYK-JS-MORGAN-72579	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-USERAGENT-174737	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	No	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUEST-1082935	No	Proof of Concept
	816/1000 Why? Mature exploit, Has a fix available, CVSS 8.6	Uninitialized Memory Exposure npm:base64-url:20180512	No	Mature
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20160722	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	No	Proof of Concept
	629/1000 Why? Has a fix available, CVSS 8.3	Improper minification of non-boolean comparisons npm:uglify-js:20150824	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	Yes	No Known Exploit
	324/1000 Why? Has a fix available, CVSS 2.2	Uninitialized Memory Exposure npm:utile:20180614	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Remote Memory Exposure npm:ws:20160104	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20160624	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:ws:20160920	No	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browserify

The new version differs by 166 commits.

• 26c58a9 forgot the "has" dep
• 9a3864e more changelog info about browser field mappings
• 42c2052 fix now works with the latest resolve
• 29d917e failing browser field file test
• ef257ed remove dnode test, was causing issues
• 16611da some upgrades
• ee3be4a more info on v9 fixes
• e6438ea failing cases in pkg_event
• 145ea52 failing pkg_event test
• 97203b3 upgrades for 9.0.0
• fbd6e2e Merge branch 'fix-expose' of https://github.com/jmm/node-browserify
• dbe2c71 9.0.0
• 53821dd Merge branch 'remove-unused-umd-dep' of https://github.com/zertosh/node-browserify
• f6593fb Update browser-pack to ^4.0.0
• 7ff5676 Merge branch 'remove-unused-umd-dep' of https://github.com/zertosh/node-browserify
• ab4b4b8 Remove unused "umd" dep
• d938408 failing relative dedupe case
• a18657c 8.1.3
• b300f68 Merge branch 'master' of https://github.com/jden/node-browserify
• 6ba8455 8.1.2
• 19dcba9 Support requiring a shimmed module name from an external bundle
• b106b1d ensure use of URL path separators
• 16eef09 Merge pull request [Snyk] Fix for 6 vulnerabilities #1082 from nikolas/patch-1
• 77eed91 Remove broken link to changelog

See the full diff

Package name: coveralls

The new version differs by 10 commits.

• 5ebe57f bump version
• 428780c Expand allowed dependency versions to all API compatible versions ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.11.3 #172)
• eb1b723 Update Mocha link ([Snyk] Security upgrade sanitize from 4.6.2 to 5.2.1 #169)
• b9032a1 better Jenkins detection
• 2821200 version bump
• ef7e811 Parse commit from packed refs if not available in refs dir. ([Snyk] Security upgrade django from 1.6.1 to 2.2.26 #163)
• e476964 Merge pull request [Snyk] Security upgrade django from 2.0.1 to 2.2.26 #162 from evanjbowling/patch-1
• 63a7f92 Update README.md
• d571dac merge, version bump
• 1575050 branching WIP

See the full diff

Package name: eslint

The new version differs by 250 commits.

• ff8c4bb 4.5.0
• 480bbee Build: changelog update for 4.5.0
• decdd2c Update: allow arbitrary nodes to be ignored in `indent` (fixes #8594) (#9105)
• 79062f3 Update: fix indentation of multiline `new.target` expressions (#9116)
• d00e24f Upgrade: `chalk` to 2.x release (#9115)
• 6ef734a Docs: add missing word in processor documentation (#9106)
• a4f53ba Fix: Include files with no messages in junit results (#9093) (#9094)
• 1d6a9c0 Chore: enable eslint-plugin/test-case-shorthand-strings (#9067)
• f8add8f Fix: don't autofix with linter.verifyAndFix when `fix: false` is used (#9098)
• 77bcee4 Docs: update instructions for adding TSC members (#9086)
• bd09cd5 Update: avoid requiring NaN spaces of indentation (fixes #9083) (#9085)
• c93a853 Chore: Remove extra space in blogpost template (#9088)
• 0d9da6d 4.4.1
• 1ea9a6c Build: changelog update for 4.4.1
• ec93614 Fix: no-multi-spaces to avoid reporting consecutive tabs (fixes #9079) (#9087)
• a113cd3 4.4.0
• 181bd46 Build: changelog update for 4.4.0
• 89196fd Upgrade: Espree to 3.5.0 (#9074)
• b3e4598 Fix: clarify AST and don't use `node.start`/`node.end` (fixes #8956) (#8984)
• 62911e4 Update: Add ImportDeclaration option to indent rule (#8955)
• de75f9b Chore: enable object-curly-newline & object-property-newline.(fixes #9042) (#9068)
• 5ae8458 Docs: fix typo in object-shorthand.md (#9066)
• c3d5b39 Docs: clarify options descriptions (fixes #8875) (#9060)
• 37158c5 Docs: clarified behavior of globalReturn option (fixes #8953) (#9058)

See the full diff

Package name: karma

The new version differs by 250 commits.

• 1b48637 chore(release): 5.0.0 [skip ci]
• a5dbe89 Update issue templates (test: fix broken test after security URL change snyk/cli#3460)
• 1074f38 chore(ci): rely on karma-runnre/integration-tests for saucelabs config ([Snyk-dev] Security upgrade got from 3.3.1 to 11.8.5 snyk/cli#3462)
• 4d45cf0 chore(ci): remove more old connection security stuffs (fix: fix broken test after security URL change snyk/cli#3459)
• be76fcc chore(ci): use travis UI for sauce config (#3458)
• a04a542 chore(ci): remove secure encryption var ([Snyk] Security upgrade python from 3.8-slim to 3.9-slim snyk/cli#3457)
• 1eaf35e fix: install semantic-release as a regular dev dependency (#3455)
• 0647109 docs: Fix simple typo, overriden -> overridden (feat: add --remote-repo-url to "iac test" snyk/cli#3453)
• ec1e69a fix(server): replace optimist on yargs lib (feat: Add support for severity threshold [CFG-1991] snyk/cli#3451)
• ffad7fa refactor(launcher): use class syntax (feat: OS CLI output part I - update severity headline +test snyk/cli#3437)
• 7166ce2 fix(server): detection new MS Edge Chromium (feat: bump snyk-iac-test version snyk/cli#3440)
• b8b2ed8 fix(ci): echo travis env that gates release after_success (fix: bump snyk docker plugin version golang fixes snyk/cli#3446)
• 33a069f refactor: use native Promise instead of Bluebird (chore: cleanup iac custom rules analytics [CFG-1144] snyk/cli#3436)
• 131d154 refactor: drop safe-buffer dependency in favor of native Buffer (fix: always show path names of invalid IaC files snyk/cli#3438)
• cb1bcbf fix(server): cleanup import of the removed method (Update driftctl to v0.35 snyk/cli#3439)
• 5c334f5 fix(server): createPreprocessor was removed (Synchronizing CLI help from user-docs snyk/cli#3435)
• d7128d4 refactor(server): remove PromiseContainer class (refactor: Remove white texts from IaC test output snyk/cli#3416)
• 057d527 feat(docs): document `DEFAULT_LISTEN_ADDR` constant (chore: upgrade snyk-iac-test snyk/cli#3443)
• a673aa8 ci: drop node 8, adopt node 12 (chore: Authentication negotiation for Kerberos snyk/cli#3430)
• 9eb6436 chore(server): Convert PromiseContainer to object and remove ([Snyk] Security upgrade actionpack from 4.2.5 to 4.2.5 snyk/cli#3401)
• 0856234 chore(travis): release on node 10 success ([NEBULA-635] chore: bump code-client version snyk/cli#3428)
• 708ae13 feat(preprocessor): obey Pattern.isBinary when set (fix: docker/Dockerfile.python-3.6 to reduce vulnerabilities snyk/cli#3422)
• 00d536f chore(test): logLevel debug in proxy test (chore: snyk-iac-test checksum snyk/cli#3427)
• da9d8bd chore(docs): delete PULL_REQUEST_TEMPLATE.md

See the full diff

Package name: karma-browserify

The new version differs by 3 commits.

• 493efe3 chore(project): release v4.0.0
• febecf6 chore(project): upgrade to browserify@9.x
• d15ea45 fix(bro): resolve basedir to real path

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Arbitrary Code Injection
🦉 More lessons are available in Snyk Learn