[Snyk] Fix for 14 vulnerabilities

[arroselli]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	621/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6	Prototype Pollution SNYK-JS-FLAT-596927	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	531/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.2	Prototype Pollution SNYK-JS-IOREDIS-1567196	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-1070800	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NODEFETCH-2964180	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1090595	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: flat

The new version differs by 12 commits.

• e5ffd66 Release 5.0.2
• fdb79d5 Update dependencies, refresh lockfile, format with standard.
• e52185d Test against node 14 in CI.
• 0189cb1 Avoid arrow function syntax.
• f25d3a1 Release 5.0.1
• 54cc7ad use standard formatting
• 779816e drop dependencies
• 2eea6d3 Bump lodash from 4.17.15 to 4.17.19
• a61a554 Bump acorn from 7.1.0 to 7.4.0
• 20ef0ef Fix prototype pollution on unflatten
• e8fb281 Test prototype pollution on unflatten
• 6e95c43 Add node 10 & 12 to travis config.

See the full diff

Package name: got

The new version differs by 250 commits.

• 5e17bb7 11.8.5
• bce8ce7 Backport 861ccd9ac2237df762a9e2beed7edd88c60782dc
• 8ced192 Fix build
• 670eb04 11.8.4
• 20f29fe Backport add update index.md github/docs#1543: Initialize globalResponse in case of ignored HTTPError (x github/docs#2017)
• 0da732f 11.8.3
• 9463bb6 Bump cacheable-request dependency (Vcc.com github/docs#1921)
• 0e167b8 HTTPError code set to 'HTTPError' #1711 (rohittravels.md github/docs#1739)
• f896aa5 11.8.2
• 3bd245f Instantiate CacheableLookup only when needed (Update point 2 of Creating your first workflow github/docs#1529)
• a72ed84 11.8.1
• 4c815c3 Do not throw on custom stack traces (repo sync github/docs#1491)
• e0cb820 11.8.0
• f65c9ef Upgrade dependencies
• 7acd380 Fix for sending files with size `0` on `stat` ([email protected] github/docs#1488)
• 6aa86f2 Fix indentation in the readme
• 3dd2273 `beforeRetry` allows stream body if different from original (Include work around for wildcards in HTTP Proxy Exclusion list github/docs#1501)
• b1afa2b Fix readme example comment (fix: Links to localhost addresses github/docs#1505)
• 390b145 Set default value for an options object (Content style guide suggests to avoid the wrong term github/docs#1495)
• 87dadd5 Fixed documentation example for `responseType` ("repository_dispatch" event shows wrong GITHUB.SHA and GITHUB.REF information github/docs#1494)
• 3bf3e3b Add `lookup` option documentation (add access-permissions-on-github.md github/docs#1483)
• c31366b Add a test for repo sync github/docs#1438 (repo sync github/docs#1469)
• 5d62958 11.7.0
• 88b32ea Fix a regression where body was sent after redirect

See the full diff

Package name: ioredis

The new version differs by 66 commits.

• 0587353 chore(release): 4.27.8 [skip ci]
• 7d73b9d fix: handle malicious keys for hgetall (Update Configuring a codespace for VS github/docs#1416)
• 17c7595 chore: fix potential security vulnerabilities [skip ci]
• a13eddc chore(release): 4.27.7 [skip ci]
• d7477aa fix(cluster): fix autopipeline with keyPrefix or arg array (Rename changing-a-remotes-url.md to changing-a-remotes-url.mod github/docs#1391)
• beefcc1 docs(README): fix docs typo (Actions: Indicate that .steps is an array of objects github/docs#1385)
• cae7fc5 chore(release): 4.27.6 [skip ci]
• 42f1ee1 fix: fixed autopipeline performances. (Thailand github/docs#1226)
• 71f2994 chore(release): 4.27.5 [skip ci]
• f02e383 fix(SENTINEL): actively failover detection under an option (rolls on [email protected] github/docs#1363)
• c87ea2a chore(release): 4.27.4 [skip ci]
• 62b6a64 perf: Serialize error stack only when needed (history github/docs#1359)
• d4a55b5 chore(release): 4.27.3 [skip ci]
• abd9a82 fix: autopipeling for buffer function (Avoid use branch for example workflows github/docs#1231)
• e0cfea1 chore(release): 4.27.2 [skip ci]
• aa9c5b1 fix(cluster): avoid ClusterAllFailedError in certain cases
• aafc349 chore(release): 4.27.1 [skip ci]
• d65f8b2 fix: clears commandTimeout timer as each respective command gets fulfilled (Rename content/github/site-policy/github-and-trade-controls.md to con… github/docs#1336)
• 9e140f0 chore(release): 4.27.0 [skip ci]
• a464151 feat(sentinel): detect failover from +switch-master messages (chore: Convert Standard to eslint-config-standard github/docs#1328)
• 6b821af docs: add CONTRIBUTING note
• dac428d chore(release): 4.26.0 [skip ci]
• 2e388db feat(cluster): apply provided connection name to internal connections
• 81b9be0 fix(cluster): subscriber connection leaks

See the full diff

Package name: linkinator

The new version differs by 108 commits.

• 2cab633 feat: create new release with notes (Missed slash in "if" and minor formatting github/docs#508)
• a376199 fix!: stream CSV results (repo sync github/docs#507)
• 18d808c chore(deps): update dependency @ types/update-notifier to v6 (repo sync github/docs#503)
• 0ee27e0 chore(deps): update dependency got to 11.8.5 [security] (Update testing-webhooks.md github/docs#505)
• 5ef0e1e build!: drop support for nodejs 12.x (docs: add tnir as a contributor github/docs#506)
• eeebebd build(deps-dev): bump semantic-release from 19.0.2 to 19.0.3 (Multiple deploy keys github/docs#501)
• da166dd build(deps): bump semver-regex from 3.1.3 to 3.1.4 (Multiple Unique Deployment Keys on One Server. github/docs#500)
• 4c63eb8 build(deps): bump npm from 8.3.1 to 8.12.0 (Fix and extend push webhook documentation. github/docs#499)
• 5ca5a46 feat: allow --skip to be defined multiple times (https://github.com/github/docs/pull/398#issue-501049475 github/docs#399)
• 9c2b5d8 chore(deps): update dependency sinon to v14 (Update defining-the-mergeability-of-pull-requests.md github/docs#398)
• d334dc6 fix(deps): upgrade node-glob to v8 (.Update keyboard-shortcuts.md github/docs#397)
• ba3b9a8 fix(deps): upgrade to htmlparser2 v8.0.1 (Translation of the last line into Portuguese github/docs#396)
• 48af50e fix(deps): update dependency gaxios to v5 (Repairing .allcontributorsrc github/docs#391)
• 78ae8b5 chore(deps): update github/codeql-action action to v2 (Update autolinked-references-and-urls.md github/docs#393)
• 0b31851 chore(deps): update dependency mocha to v10 (Update identifying-and-authorizing-users-for-github-apps.md github/docs#394)
• e586584 build(deps): bump minimist from 1.2.5 to 1.2.6 (docs: Add Chinese translation github/docs#387)
• 1cc3a88 docs: Update latest major version specified in SECURITY.md (repo sync github/docs#380)
• 833fd33 chore(deps): update actions/checkout action to v3 (#385)
• 1835248 chore(deps): update actions/setup-node action to v3 (#383)
• 4a16353 build(deps): bump simple-get from 3.1.0 to 3.1.1 (repo sync github/docs#379)
• 65dfb90 chore(deps): update dependency simple-get to 3.1.1 [security] (Neftali github/docs#378)
• 96d3ddf chore(deps): update dependency nanoid to 3.1.31 [security] (repo sync github/docs#377)
• ad1e73e build(deps): bump node-fetch from 2.6.1 to 2.6.7 (API Libraries Design update github/docs#376)
• 9b287c3 chore(deps): update dependency sinon to v13 (repo sync github/docs#375)

See the full diff

Package name: node-fetch

The new version differs by 217 commits.

• 2880238 fix: ReDoS referrer (Behance github/docs#1611)
• e87b093 fix(Headers): don't forward secure headers on protocol change (Amazoncloud.tv github/docs#1599)
• bcfb71c chore: remove triple-slash directives from typings (repo sync github/docs#1285) (sudo-mode.md github/docs#1287)
• 95165d5 fix spelling (Don't specify registry specific path github/docs#1602)
• 11b7033 fix: possibly flaky test (add recent localization contributors**1 github/docs#1523)
• 4f43c9e fix: always warn Request.data ([email protected] github/docs#1550)
• 1c5ed6b fix: undefined reference to response.body when aborted (repo sync github/docs#1578)
• a92b5d5 fix: use space in accept-encoding values (Webpage github/docs#1572)
• 0f122b8 docs: fix formdata code example (Thanks very much for contributing! Your pull request has been merged 🎉 You should see your changes appear on the site in approximately 24 hours. github/docs#1562)
• 6ae9c76 docs(readme): response.clone() is not async (Favicon might be invisible github/docs#1560)
• 043a5fc Fix leaking listeners (repo sync github/docs#1295) (repo sync github/docs#1474)
• 004b3ac fix: don't uppercase unknown methods (Update configuring-docker-for-use-with-github-packages.md github/docs#1542)
• c33e393 Fix Code of Conduct link in Readme. (Sk_live github/docs#1532)
• 6875205 docs: Fix link markup to Options definition (Instruction list being repeated thrice. github/docs#1525)
• 6425e20 fix: handle bom in text and json (repo sync github/docs#1482)
• a4ea5f9 fix: add missing formdata export to types (Rename contributing/localization-checklist.md to contributing/massto/… github/docs#1518)
• 61b3b5a fix: cancel request example import (Update about-pull-requests.md github/docs#1513)
• 5e78af3 Replace changelog with valid url (Fix typo github/docs#1506)
• 9014db7 types: support `agent: false` (Include work around for wildcards in HTTP Proxy Exclusion list on GHES github/docs#1502)
• 2e1f3a5 chore: fix typo in credential error message (Suggest to avoid "Master branch" instead of "Default branch" github/docs#1496)
• 4ce2ce5 docs(readme): fix typo (Update githubs-products.md github/docs#1489)
• ba23fd2 docs: remove the changelog (repo sync github/docs#1464)
• 8fedc1b core: move support and feature to discussion (repo sync github/docs#1471)
• 0b43b9f docs: update formdata example (repo sync github/docs#1465)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect
🦉 Prototype Pollution