[Snyk] Fix for 6 vulnerabilities

[aliscco]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • tools/node_modules/eslint/node_modules/cross-spawn/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	No Known Exploit
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @commitlint/cli

The new version differs by 101 commits.

• 71f0194 v9.0.0
• 5bb6907 docs(readme): add install husky example ([Snyk] Security upgrade ava from 1.4.1 to 2.0.0 #1699)
• 0f0f95a chore: update dependency typescript to v3.8.2 ([Snyk] Fix for 1 vulnerabilities #1002)
• 890df29 chore: update dependency @ types/node to v12.12.28 ([Snyk] Fix for 1 vulnerabilities #1001)
• 6c9ab78 chore: update dependency @ types/jest to v25.1.3 ([Snyk] Fix for 3 vulnerabilities #1000)
• 882e292 chore: update dependency ts-jest to v25.2.1 ([Snyk] Security upgrade acorn-private-class-elements from 0.1.1 to 0.2.0 #999)
• c3eb1a7 fix: ignore empty commit messages [Snyk] Fix for 1 vulnerabilities #615 ([Snyk] Security upgrade tap from 10.7.3 to 16.0.0 #676)
• 8b394c9 feat(config-conventional): footer/body-max-line ([Snyk] Fix for 1 vulnerabilities #436)
• 4443062 feat: add async promise based rules methods into lint ([Snyk] Fix for 1 vulnerabilities #976)
• 89168b8 chore: update typescript-eslint monorepo to v2.20.0 ([Snyk] Security upgrade tap from 2.3.4 to 5.4.3 #998)
• 9d14792 chore: update dependency husky to v4.2.3 ([Snyk] Security upgrade tap from 0.4.13 to 1.0.8 #996)
• 4ee307a fix: update dependency semver to v7.1.3 ([Snyk] Security upgrade acorn-private-class-elements from 0.1.1 to 0.2.0 #995)
• c7cfe37 chore: remove unused configs ([Snyk] Security upgrade tap from 14.11.0 to 18.0.0 #991)
• 0404c7d chore: update dependency @ types/node to v12.12.27 ([Snyk] Security upgrade npm-registry-fetch from 11.0.0 to 14.0.0 #994)
• 34c11b8 fix: incorrect use of when in getForcedCaseFn ([Snyk] Security upgrade tap from 15.2.3 to 18.0.0 #993)
• 6f80f70 chore: align required globby between packages ([Snyk] Fix for 1 vulnerabilities #992)
• f379dcc refactor: replace lodash/omit with spread ([Snyk] Fix for 1 vulnerabilities #988)
• d5c601f test: add missing test cases for ensure and is-ignored ([Snyk] Security upgrade tap from 15.2.3 to 18.0.0 #987)
• ec4af58 docs: update node version support ([Snyk] Fix for 1 vulnerabilities #986)
• f74e036 chore: upgrade execa to 3.4.0 ([Snyk] Security upgrade xo from 0.24.0 to 0.42.0 #984)
• c49a57c feat: passdown argv to lint command ([Snyk] Security upgrade eslint from 4.12.1 to 6.0.0 #891)
• 01c451c test(config-lerna-scopes): add regression tests ([Snyk] Security upgrade tap from 12.7.0 to 18.0.0 #979)
• 21a91e7 test: eslint setup ([Snyk] Security upgrade tap from 14.11.0 to 18.0.0 #981)
• f88f00d fix(config-lerna-scopes): correct lerna in peerDependencies ([Snyk] Fix for 1 vulnerabilities #980)

See the full diff

Package name: babel-jest

The new version differs by 250 commits.

• be16e47 v27.0.0
• 63102ec chore: update changelog for release
• 564694a docs(blog): Jest 27 blog post (test: improve readline coverage to check end and clear keys nodejs/node#11131)
• b68d91b feat(pretty-print): add option `printBasicPrototype` (inspector: make debug an alias for inspect nodejs/node#11441)
• 2226742 chore: minor simplify format results error (test: skip IPv6 test on non-IPv6 systems nodejs/node#11432)
• 78eb25d chore: remove needless assign (test: enhance test-common.js nodejs/node#11433)
• 696c455 chore: update lockfile after publish
• e2eb9ae v27.0.0-next.11
• 3b253f8 Wait for closed resources to actually close before detecting open handles (test: refactor test-http-response-splitting nodejs/node#11429)
• 27bee72 fix: run GC before collecting open handles (test: improve child_process test coverage nodejs/node#11278)
• 50451df feat: use fallback if prettier not found (errors, events: migrate to internal/errors.js nodejs/node#11400)
• 150dbd8 chore: update lockfile after publish
• 6f44529 v27.0.0-next.10
• cbcec7d Upgrade fsevents in jest-haste-map (test, url: URLSearchParams splits across lines nodejs/node#11428)
• 9633a26 feat: support reporters written in ESM (child_process: remove empty if condition nodejs/node#11427)
• 59f42d8 fix: do not cache modules that throw during evaluation (deps: cherry-pick 7c982e7 from V8 upstream nodejs/node#11263)
• 57e32e9 Detect open handles with done callbacks (doc: add missing function to test common doc nodejs/node#11382)
• a397607 Document and test dontThrow for custom inline snapshot matchers (JSON Stringify indentation not working nodejs/node#10995)
• 4fa3a0b feat: custom haste (Fix node nodejs/node#11107)
• 2047a36 chore: bump deps (test: add coverage for utf8CheckIncomplete() nodejs/node#11419)
• a4358d6 chore: run prettier on changelog
• bdd6282 Move all default values into `jest-config` (test: fix test for buffer regression #649 nodejs/node#9924)
• db643a1 Link to Jest config (v7.x backport: src: add tracing controller nodejs/node#11106)
• b16082c Fix locale issue test: Modernize test-tls-peer-certificate.js nodejs/node#10014 (Using core.whitespace fix in git nodejs/node#11412)

See the full diff

Package name: eslint

The new version differs by 134 commits.

• a7985a6 6.0.0
• be74dd9 Build: changelog update for 6.0.0
• 81aa06b Upgrade: [email protected] (deps: Add node-inspect 1.10.6 nodejs/node#11869)
• 5f022bc Fix: no-else-return autofix produces name collisions (fixes v7.x: backport a few WHATWG URL changes nodejs/node#11069) (win,build: add Visual Studio 2017 support nodejs/node#11867)
• ded9548 Fix: multiline-comment-style incorrect message (Plain node debugging cannot connect nodejs/node#11864)
• cad074d Docs: Add JSHint W047 compat to no-floating-decimal (child_process.exec considering process.env improvement nodejs/node#11861)
• 41f6304 Upgrade: sinon (let v8 use libuv thread pool nodejs/node#11855)
• 167ce87 Chore: remove unuseable profile command (lib: Use regex to compare error message nodejs/node#11854)
• c844c6f Fix: max-len properly ignore trailing comments (fixes doc: add missing link to v7.7.2 in changelog nodejs/node#11838) (debugger: fix debugger failure when passing commands with non-latin symbols nodejs/node#11841)
• 1b5661a Fix: no-var should not fix variables named 'let' (fixes AIX: parallel/test-cluster-inspector-debug-brk intermittent failures  nodejs/node#11830) (iciecfjdcddijcvunibfjigbcindrgtkbjdl nodejs/node#11832)
• 4d75956 Build: CI with Azure Pipelines (doc: increase Buffer.concat() documentation nodejs/node#11845)
• 1db3462 Chore: rm superfluous argument & fix perf-multifiles-targets (tools: add unescaped regexp dot rule to linter nodejs/node#11834)
• c57a4a4 Upgrade: @ babel/polyfill => core-js v3 (lib: removed unused msg parameter in debug_agent nodejs/node#11833)
• 65faa04 Docs: Clarify prefer-destructuring array/object difference (fixes test: refactor test-tls-ocsp-callback nodejs/node#9970) (Ignition + TurboFan: Node.js benchmarks nodejs/node#11851)
• 81c3823 Fix: require-atomic-updates reports parameters (fixes src: fix typos in node_lttng_provider.h nodejs/node#11723) (CRYPTO: Add configure option to use system CA certificates nodejs/node#11774)
• aef8ea1 Sponsors: Sync README with website
• 4f48f5a 6.0.0-rc.0
• 6bad650 Build: changelog update for 6.0.0-rc.0
• f403b07 Update: introduce minKeys option to sort-keys rule (fixes util: convert inspect.styles to prototype-less object nodejs/node#11624) (doc: add link to references in net.Socket nodejs/node#11625)
• 87451f4 Fix: no-octal should report NonOctalDecimalIntegerLiteral (fixes crypto: Use system CAs instead of using bundled ones nodejs/node#11794) (console - writable property nodejs/node#11805)
• e4ab053 Update: support "bigint" in valid-typeof rule (doc: missing argument types for events methods nodejs/node#11802)
• e0fafc8 Chore: removes unnecessary assignment in loop (doc: fix a typo in api/process.md nodejs/node#11780)
• 20908a3 Docs: removed '>' prefix from from docs/working-with-rules (Investigate flaky test-arm-math-exp-regress-1376 nodejs/node#11818)
• 1c43eef Sponsors: Sync README with website

See the full diff

Package name: jest

The new version differs by 250 commits.

• 75006e4 v29.0.0
• 7c82a9f chore: update jest-watch-typeahead again
• 352ff29 chore: update changelog for release
• 33ad8c3 docs: Jest 29 blog post (v6.x backport for common.crashOnUnhandledRejection nodejs/node#13103)
• dda77e5 docs: collapse 28.0 and 28.1 docs (v7.x backport for common.crashOnUnhandledRejection nodejs/node#13104)
• c0dc84c chore: update jest-watch-typeahead
• 05f6217 fix: support deep CJS re-exports when using ESM (HTTPS Server crashing randomly (With solution) nodejs/node#13170)
• 490fd88 chore: update yarn (npm -v throw err nodejs/node#13169)
• 98936a2 docs: Update Enzyme links to use new URL (test: add override to ServerDone function nodejs/node#13166)
• 187566a feat(pretty-format): allow to opt out from sorting object keys with `compareKeys: null` (tests: remove common.PORT from cluster worker disconnect, exit and kill nodejs/node#12443)
• ae2bed7 chore: tweak regex used in e2e tests (Design issue for nodejs.org/download nodejs/node#13129)
• 8c56d74 docs: Update Configuration.md for added special notes on usage scenarios for pnpm. (question: best practice for handling unexpected err in tests nodejs/node#13115)
• fb1c53d feat(jest-config)!: remove undocumented `collectCoverageOnlyFrom` option (stream: fix destroy(err, cb) regression nodejs/node#13156)
• 075b489 fix: ignore `EISDIR` when resolving symlinks (gdljuigu nodejs/node#13157)
• 3bef02e feat(@ jest/test-result, @ jest/types)!: replace `Bytes` and `Milliseconds` types with `number` (events: improve performance for emit(), on(), and listeners() nodejs/node#13155)
• 4def94b v29.0.0-alpha.6
• 0f00d4e fix: replace non-CLI `rimraf` usage (serialport error nodejs/node#13151)
• 6a90a2c fix: Allow updating inline snapshots when test includes JSX (buffer: remove pointless C++ utility methods nodejs/node#12760)
• 983274a feat: Let `babel` find config when updating inline snapshots (make and amd64 nodejs/node#13150)
• d2ff18a chore: make prettierPath optional in `SnapshotState` (net: multiple listen() events fail silently nodejs/node#13149)
• 7d8d01c feat(circus): added each to failing tests (async_hooks: implement C++ embedder API nodejs/node#13142)
• a5b52a5 chore(types): separate MatcherContext, MatcherUtils and MatcherState (test: add hasCrypto check to async-wrap-GH13045 nodejs/node#13141)
• 79b5e41 chore: get rid of peer dep warning in website
• 812763d chore: enable 'no-duplicate-imports' (doc: update code example for Windows in stream.md nodejs/node#13138)

See the full diff

Package name: lint-staged

The new version differs by 146 commits.

• 885a644 Merge pull request [Snyk] Security upgrade mocha from 3.5.3 to 4.0.0 #852 from okonet/listr2
• aba3421 fix: all lint-staged output respects the `quiet` option
• b8df31a fix: do not show incorrect error when verbose and no output
• eed6198 style: simplify eslint and prettier config
• b746290 ci: replace Node.js 13 with 14, since 14 will be next LTS
• 2c6f3ad docs: improve `verbose` description
• e749a0b test: remove redundant, misbehaving test
• 16848d8 fix: use test renderer during tests and when TERM=dumb
• efffa22 test: cover `--verbose` option usage
• 1b18550 test: restore variable in test output
• 6aede38 test: add test for error during merge state restoration
• b565481 test: integration test targets the full Node.js API instead of just `runAll`
• a3bd9d7 feat: allow specifying `cwd` using the Node.js API
• 85de3a3 feat: add `--verbose` to show output even when tasks succeed
• d69c65b fix: log task output after running listr to keep everything
• e95d1b0 refactor: move skip and enable cheks of listr tasks to separate file
• 6da7667 refactor: move messages to separate file
• 6392480 refactor: use symbols for errors
• 8f32a3e feat: replace listr with listr2 and print errors inline
• c9adca5 fix: use stash create/store to prevent files from disappearing from disk
• e093b1d fix(deps): update dependencies
• 6066b07 fix: pass correct path to unstaged patch during cleanup
• 0bf1fb0 fix: allow lint-staged to run on empty git repo by disabling backup
• 1ac6863 Merge pull request [Snyk] Fix for 1 vulnerabilities #837 from okonet/serial-git-add

See the full diff

Package name: rimraf

The new version differs by 40 commits.

• 3b6b098 4.0.0
• e0cffea ci: reduce workload even more
• 0e6646d ci: remove unnecessary lint filter
• 546e017 update action versions
• 6d88a65 tone down benchmark intensity
• 842a8d2 fix benchmark workflow yaml
• 1b91697 chore: add copyright year to license
• 08bbb06 rewrite in TS, export hybrid, update changelog, docs
• 1b3f46e drop support for node versions below 14
• 2e1f003 gh actions workflow for benchmarks
• 52f9370 tests for retry-busy behavior
• 188e3ed don't test on very old node versions
• d1d5495 test for fix-eperm
• e7501cd prettier formatting
• 40f64ec windows: only fall back to move-remove when absolutely necessary
• b6f7819 update tap
• 99496cd test: run posix test on windows, why not?
• 51d43c1 benchmarks
• 6b8aa29 doc: correct os.tmp default
• 4b228c9 do not ever actually try to rmdir /
• 2442655 consolidate all the spellings of 'opt' into one
• d4eec2e add cli script
• 0c82d74 accept strings, arrays of strings, and no other types
• ad4f2db Do not rimraf /, override with preserveRoot:false

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 Prototype Pollution