From 3af631ffe613a0e4225276175105c1c232f33fd7 Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-bot@snyk.io>
Date: Mon, 4 May 2020 21:08:24 -0600
Subject: [PATCH 1/2] fix: .snyk & package.json to reduce vulnerabilities

The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
---
 .snyk | 43 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 5 deletions(-)

diff --git a/.snyk b/.snyk
index 07a3827ae46..8eb434249ba 100644
--- a/.snyk
+++ b/.snyk
@@ -1,10 +1,43 @@
-version: v1.38.1
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.14.1
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  'SNYK-RUBY-NOKOGIRI-20299':
+  SNYK-RUBY-NOKOGIRI-20299:
     - '* > nokogiri':
-        reason: 'We do not opt in to DTDLOAD and do not opt out of NONET'
+        reason: We do not opt in to DTDLOAD and do not opt out of NONET
         expires: '2018-01-01T00:00:00.000Z'
-  'SNYK-RUBY-ACTIONCABLE-20338':
+  SNYK-RUBY-ACTIONCABLE-20338:
     - '* > actioncable':
-        reason: 'We do not use actioncable'
+        reason: We do not use actioncable
         expires: '2017-09-10T00:00:00.000Z'
+# patches apply the minimum changes required to fix a vulnerability
+patch:
+  SNYK-JS-LODASH-567746:
+    - '@rails/webpacker > @babel/core > lodash':
+        patched: '2020-05-05T03:08:22.542Z'
+    - '@rails/webpacker > node-sass > lodash':
+        patched: '2020-05-05T03:08:22.542Z'
+    - webpack-dev-server > http-proxy-middleware > lodash:
+        patched: '2020-05-05T03:08:22.542Z'
+    - '@rails/webpacker > @babel/preset-env > @babel/plugin-transform-block-scoping > lodash':
+        patched: '2020-05-05T03:08:22.542Z'
+    - '@rails/webpacker > node-sass > sass-graph > lodash':
+        patched: '2020-05-05T03:08:22.542Z'
+    - '@rails/webpacker > optimize-css-assets-webpack-plugin > last-call-webpack-plugin > lodash':
+        patched: '2020-05-05T03:08:22.542Z'
+    - webpack-dev-server > portfinder > async > lodash:
+        patched: '2020-05-05T03:08:22.542Z'
+    - '@rails/webpacker > @babel/preset-env > @babel/plugin-transform-classes > @babel/helper-define-map > lodash':
+        patched: '2020-05-05T03:08:22.542Z'
+    - '@rails/webpacker > node-sass > gaze > globule > lodash':
+        patched: '2020-05-05T03:08:22.542Z'
+    - '@rails/webpacker > @babel/preset-env > @babel/plugin-transform-unicode-regex > @babel/helper-create-regexp-features-plugin > @babel/helper-regex > lodash':
+        patched: '2020-05-05T03:08:22.542Z'
+    - '@rails/webpacker > @babel/preset-env > @babel/preset-modules > @babel/plugin-transform-dotall-regex > @babel/helper-create-regexp-features-plugin > @babel/helper-regex > lodash':
+        patched: '2020-05-05T03:08:22.542Z'
+    - '@rails/webpacker > @babel/preset-env > @babel/plugin-transform-exponentiation-operator > @babel/helper-builder-binary-assignment-operator-visitor > @babel/helper-explode-assignable-expression > @babel/traverse > @babel/generator > lodash':
+        patched: '2020-05-05T03:08:22.542Z'
+    - '@rails/webpacker > @babel/preset-env > @babel/plugin-transform-exponentiation-operator > @babel/helper-builder-binary-assignment-operator-visitor > @babel/helper-explode-assignable-expression > @babel/traverse > @babel/helper-split-export-declaration > @babel/types > lodash':
+        patched: '2020-05-05T03:08:22.542Z'
+    - '@rails/webpacker > @babel/preset-env > @babel/plugin-transform-exponentiation-operator > @babel/helper-builder-binary-assignment-operator-visitor > @babel/helper-explode-assignable-expression > @babel/traverse > @babel/helper-function-name > @babel/template > @babel/types > lodash':
+        patched: '2020-05-05T03:08:22.542Z'

From f4b161a035d91afdb9b9737d5e105c2bfbdcbe4d Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-bot@snyk.io>
Date: Mon, 4 May 2020 21:08:25 -0600
Subject: [PATCH 2/2] fix: .snyk & package.json to reduce vulnerabilities

The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
---
 package.json | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index ff2a96eb47d..d294f3b5c85 100644
--- a/package.json
+++ b/package.json
@@ -8,7 +8,9 @@
   },
   "scripts": {
     "test": "NODE_ENV=test `npm bin`/mocha --require @babel/register --require spec/javascripts/spec_helper.js 'spec/javascripts/**/**_spec.js'",
-    "build": "true"
+    "build": "true",
+    "snyk-protect": "snyk protect",
+    "prepare": "yarn run snyk-protect"
   },
   "dependencies": {
     "@rails/webpacker": "^4.1.0",
@@ -27,7 +29,8 @@
     "normalize.css": "^4.2.0",
     "sinon": "^1.17.7",
     "webpack-dev-server": "^3.10.3",
-    "zxcvbn": "^4.4.2"
+    "zxcvbn": "^4.4.2",
+    "snyk": "^1.317.0"
   },
   "devDependencies": {
     "@babel/register": "^7.4.4",
@@ -42,5 +45,6 @@
     "jsdom": "^16.2.2",
     "mocha": "^6.1.4",
     "proxyquire": "^1.8.0"
-  }
+  },
+  "snyk": true
 }