[Snyk] Fix for 26 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-GETOBJECT-1054932	Yes	No Known Exploit
	569/1000 Why? Has a fix available, CVSS 7.1	Arbitrary Code Execution SNYK-JS-GRUNT-597546	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	No Known Exploit
	434/1000 Why? Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	641/1000 Why? Mature exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:concat-stream:20160901	Yes	Mature
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Denial of Service (DoS) npm:superagent:20170807	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Information Exposure npm:superagent:20181108	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt-contrib-coffee

The new version differs by 38 commits.

• 40bfa6b add back internal ci (Added changes from #189 to changelog GoogleChrome/accessibility-developer-tools#198)
• f9eec6e updating to coffeescript 2 (Fixes issue #182 and adds a unit test to check this condition. GoogleChrome/accessibility-developer-tools#196)
• 72e1818 Merge pull request Migrate to Travis' container infrastructure GoogleChrome/accessibility-developer-tools#193 from Florian-R/coffee-1.11.1
• 634e41f Bump coffee-script to 1.11.1
• c643075 Remove trailing spaces.
• 9bcddc1 Update grunt-contrib-internal to v1.1.0.
• bdc062c Update grunt to 1.0.0
• dbb494f Update CHANGELOG.
• bd39fc5 Update dependencies.
• 1651944 v1.0.0
• 854b051 Update docs message to be Grunt >= 0.4
• b0a355a Update travis and appveyor for supported node versions
• 01e92e7 Add grunt >= 0.4.5 peerDep
• 5e75633 Updating dependencies
• 5d2b2c0 Merge pull request TypeError: null is not an object (evaluating 'axs.properties.findTextAlternatives(a, {}).trim') GoogleChrome/accessibility-developer-tools#183 from aleclarson/master
• f2341cb Merge pull request Release GoogleChrome/accessibility-developer-tools#192 from sodle/patch-1
• 3d47cf8 Point main to task
• 11bcc13 Remove peerDeps. Ref Remove peerDependencies from plugins gruntjs/grunt#1116
• 2fa7ca1 Update copyright to 2016
• 2b7fc62 CI: Remove node.js '0.12' and add '5'.
• ce0b9a9 Compilation loop is skipped if no files matched.
• 8e8dd94 Update docs.
• cb02b25 Update coffee-options.md
• 3a1110c Update test files.

See the full diff

Package name: grunt-contrib-qunit

The new version differs by 17 commits.

• 0a92929 Update changelog
• b8267e8 Fix tests with phantomjs 2.1.1
• 88557ff Update grunt-lib-phantomjs to 2.0.0, bump major version
• d2960fb Update devDependencies
• 0f0a74c Point main to task
• 37d7347 Remove peerDeps. Ref Remove peerDependencies from plugins gruntjs/grunt#1116
• 6417dec Update copyright to 2016
• b7f0e6f Merge pull request Can't find variable: axs GoogleChrome/accessibility-developer-tools#107 from ntwb/patch-1
• e96b4b0 Add NodeJS v5.x.x to AppVeyor CI build matrix
• 18af6d0 Add NodeJS v5.x.x to Travis CI build matrix
• 048cf31 Merge pull request More ports from aria-toolkit and enhancements GoogleChrome/accessibility-developer-tools#104 from XhmikosR/master
• 633dfed CI: test node.js 4.0.
• 662b38b Merge pull request duplicate and/or invalid ID checks GoogleChrome/accessibility-developer-tools#102 from jeroanan/patch-1
• d1bb823 Correct phantomjs.org link
• abc5844 Fix deprecated package.json licenses
• c6c0200 Merge pull request Add configurable blacklist phrases and stop words to LinkWithUnclearPurpose GoogleChrome/accessibility-developer-tools#99 from XhmikosR/master
• b451577 Update appveyor.yml.

See the full diff

Package name: grunt-eslint

The new version differs by 21 commits.

• 850ebc1 18.0.0
• 47eaced Close Fix path to audit rules in phantomjs runner. GoogleChrome/accessibility-developer-tools#108 PR: Updated ESLint to 2.0.0.
• 4c6a79b 17.3.2
• 7954851 don't log newline when no output
• 9f593a9 Merge pull request duplicate and/or invalid ID checks GoogleChrome/accessibility-developer-tools#102 from ntwb/patch-1
• 24912ca Travis CI: Test on Node.js v4.x.x and v5.x.x
• c9ba8e1 17.3.1
• 32b9231 Merge pull request FocusableElementsNotVisibleAndNotAriaHidden should ignore elements not in tab order with no computed text GoogleChrome/accessibility-developer-tools#93 from pmcelhaney/feature/max-warnings
• 797f8cf Fixed: reversed logic introduced with tooManyWarnings feature. (see Don't construct query selectors referring to .class:nth-of-type GoogleChrome/accessibility-developer-tools#90)
• cc72a55 17.3.0
• 9890899 cleanup Don't construct query selectors referring to .class:nth-of-type GoogleChrome/accessibility-developer-tools#90
• e089df5 Merge pull request Correctly parse alpha in rgba colors GoogleChrome/accessibility-developer-tools#91 from pmcelhaney/feature/max-warnings
• 10dc655 Adds a maxWarnings option. Closes Don't construct query selectors referring to .class:nth-of-type GoogleChrome/accessibility-developer-tools#90
• 10cbc4a 17.2.0
• 4c82cec bump eslint
• 2685aa9 Merge pull request Incorrect use of nth-of-type against className in utils.getQuerySelectorText GoogleChrome/accessibility-developer-tools#87 from oliviertassinari/patch-1
• 73d74a1 Use the fix option of eslint
• 110c4a9 17.1.0
• 83074b2 use the new ESLint `getErrorResults` method
• 1342bf2 17.0.0
• 356f885 ⬆️ eslint 1.0.0

See the full diff

Package name: superagent

The new version differs by 250 commits.

• 3571754 v3.8.1
• 34b69c8 Bump
• 087edaf Clear auth on redirect
• 4108c34 npm@5
• 064b8b0 3.8.0
• b2708db Retry callback
• 383b308 Refactor shouldRetry
• 6bd9b31 indentation to match
• bba9773 log and test style
• bac9933 fn as optional param
• ff607e2 Add optional callback to retry
• 9b0d98d Changelog
• c808dd0 3.8.0-alpha.1
• 87516fc Also support events in global-ish agent
• 66aed34 Default settings for all agent requests
• 05d6c88 Authenticate request using username and password
• 06d7865 Extract common node/browser auth into request-base
• 104ccba Unify auth args handling in node/browser
• be5ab92 Handle errors in zlib pipe
• ef0a35b Merge pull request #1301 from visionmedia/es6
• 0dff890 Prettier
• d669860 ES6ify
• e8463f0 ES6ify Node tests
• cf98d3b Rephrase new documentation about error responses

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Proof of Concept
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic